├── .github
    └── FUNDING.yml
├── .gitignore
├── .gitmodules
├── CONTRIBUTING.md
├── COPYING
├── README.md
├── automatic.sh
├── build.sh
├── misc
    ├── dissect.sh
    └── extract-after-compile.py
├── patches
    ├── 250
    │   ├── config
    │   ├── patch_bootloader.json
    │   ├── patch_kernel.json
    │   ├── patch_userland.json
    │   └── readme.md
    ├── 273
    │   ├── build.sh
    │   ├── config
    │   ├── patch_bootloader.json
    │   ├── patch_kernel.json
    │   ├── patch_userland.json
    │   ├── patches.md
    │   └── readme.md
    ├── 277
    │   ├── asm
    │   │   ├── fn_handler.S
    │   │   └── stdout.S
    │   ├── config
    │   ├── patch_bootloader.json
    │   ├── patch_kernel.json
    │   ├── patch_userland.json
    │   ├── patches.md
    │   └── readme.md
    ├── 278
    │   ├── config
    │   ├── patch_bootloader.json
    │   ├── patch_kernel.json
    │   ├── patch_userland.json
    │   ├── patches.md
    │   └── readme.md
    ├── 279
    │   ├── config
    │   ├── patch_bootloader.json
    │   ├── patch_kernel.json
    │   ├── patch_userland.json
    │   ├── patches.md
    │   └── readme.md
    ├── 277-memdump
    │   ├── asm
    │   │   └── fn_handler.S
    │   ├── config
    │   ├── patch_bootloader.json
    │   ├── patch_kernel.json
    │   ├── patch_userland.json
    │   └── readme.md
    ├── 277-tools
    │   ├── asm
    │   │   ├── fan_handle.S
    │   │   ├── fan_log.S
    │   │   └── tools.S
    │   ├── config
    │   ├── patch_bootloader.json
    │   ├── patch_kernel.json
    │   ├── patch_userland.json
    │   └── readme.md
    └── latest
├── requirements.txt
├── research
    ├── 2022-02-15-initial-findings.md
    ├── 2022-02-16-reproducing-273.md
    ├── 2022-02-17-docs.md
    ├── 2022-02-18-building-279.md
    ├── 2022-02-19-onto-277.md
    ├── img
    │   ├── 273-277-vspchannel-comparison.png
    │   ├── conapp-closing-connection.png
    │   ├── conapp-get-current-context.png
    │   ├── health-ipc-call.png
    │   ├── health-jump-table.png
    │   ├── health_fan_function.png
    │   ├── keypatch-function-entrypoints.png
    │   ├── new-function-entrypoints.png
    │   ├── patch-for-273-identical.png
    │   ├── unkn-libc-call.png
    │   └── vspchannel-logging-ipc.png
    └── readme.md
├── scripts
    ├── aterfax-silence-dl380pG8-screen.sh
    ├── cf-dynamic-fans.sh
    ├── djaenk-quiet-dl380pG8.sh
    ├── dl360gen9-silent.sh
    ├── ja-silence-dl20G9.sh
    ├── kg-silence-dl380eG8.sh
    ├── kg-silence-dl380pG8.sh
    ├── quietFansDL380G9.sh
    ├── readme.md
    └── tty13-fanctrl.sh
└── util
    ├── asm
        ├── fan_research.S
        └── test.S
    ├── common.py
    ├── gcc
        ├── .gitignore
        ├── Makefile
        ├── ilo.h
        ├── ilo_277.h
        ├── main.c
        └── main.lds
    ├── patch.py
    └── repl.py


/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | github: kendallgoto
2 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | /venv/
2 | /build/
3 | /binaries/
4 | *.pyc
5 | 


--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "ilo4_toolbox"]
2 | 	path = ilo4_toolbox
3 | 	url = https://github.com/airbus-seclab/ilo4_toolbox.git
4 | 	ignore = dirty
5 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | There aren't really any hard rules here! If you have some additional research, please make a PR / reach out to me and I'd love to chat about it.
 2 | 
 3 | If you'd like to chat about my research, need help getting something setup, etc., please reach out and I'm happy to help.
 4 | 
 5 | For the sake of maintaining a dependable `main` and due to the vulnerability of generating iLO patches, please fully document any patches in PRs so that I can adaquetly vet & test them. Submitted code should never include HP intellectual property -- i.e., no binaries!
 6 | 
 7 | Please submit PRs against the `dev` branch.
 8 | 
 9 | Kendall Goto (k@kgo.to)
10 | /u/iamkgoto
11 | 


--------------------------------------------------------------------------------
/COPYING:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 3, 29 June 2007
  3 | 
  4 |  Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
  5 |  Everyone is permitted to copy and distribute verbatim copies
  6 |  of this license document, but changing it is not allowed.
  7 | 
  8 |                             Preamble
  9 | 
 10 |   The GNU General Public License is a free, copyleft license for
 11 | software and other kinds of works.
 12 | 
 13 |   The licenses for most software and other practical works are designed
 14 | to take away your freedom to share and change the works.  By contrast,
 15 | the GNU General Public License is intended to guarantee your freedom to
 16 | share and change all versions of a program--to make sure it remains free
 17 | software for all its users.  We, the Free Software Foundation, use the
 18 | GNU General Public License for most of our software; it applies also to
 19 | any other work released this way by its authors.  You can apply it to
 20 | your programs, too.
 21 | 
 22 |   When we speak of free software, we are referring to freedom, not
 23 | price.  Our General Public Licenses are designed to make sure that you
 24 | have the freedom to distribute copies of free software (and charge for
 25 | them if you wish), that you receive source code or can get it if you
 26 | want it, that you can change the software or use pieces of it in new
 27 | free programs, and that you know you can do these things.
 28 | 
 29 |   To protect your rights, we need to prevent others from denying you
 30 | these rights or asking you to surrender the rights.  Therefore, you have
 31 | certain responsibilities if you distribute copies of the software, or if
 32 | you modify it: responsibilities to respect the freedom of others.
 33 | 
 34 |   For example, if you distribute copies of such a program, whether
 35 | gratis or for a fee, you must pass on to the recipients the same
 36 | freedoms that you received.  You must make sure that they, too, receive
 37 | or can get the source code.  And you must show them these terms so they
 38 | know their rights.
 39 | 
 40 |   Developers that use the GNU GPL protect your rights with two steps:
 41 | (1) assert copyright on the software, and (2) offer you this License
 42 | giving you legal permission to copy, distribute and/or modify it.
 43 | 
 44 |   For the developers' and authors' protection, the GPL clearly explains
 45 | that there is no warranty for this free software.  For both users' and
 46 | authors' sake, the GPL requires that modified versions be marked as
 47 | changed, so that their problems will not be attributed erroneously to
 48 | authors of previous versions.
 49 | 
 50 |   Some devices are designed to deny users access to install or run
 51 | modified versions of the software inside them, although the manufacturer
 52 | can do so.  This is fundamentally incompatible with the aim of
 53 | protecting users' freedom to change the software.  The systematic
 54 | pattern of such abuse occurs in the area of products for individuals to
 55 | use, which is precisely where it is most unacceptable.  Therefore, we
 56 | have designed this version of the GPL to prohibit the practice for those
 57 | products.  If such problems arise substantially in other domains, we
 58 | stand ready to extend this provision to those domains in future versions
 59 | of the GPL, as needed to protect the freedom of users.
 60 | 
 61 |   Finally, every program is threatened constantly by software patents.
 62 | States should not allow patents to restrict development and use of
 63 | software on general-purpose computers, but in those that do, we wish to
 64 | avoid the special danger that patents applied to a free program could
 65 | make it effectively proprietary.  To prevent this, the GPL assures that
 66 | patents cannot be used to render the program non-free.
 67 | 
 68 |   The precise terms and conditions for copying, distribution and
 69 | modification follow.
 70 | 
 71 |                        TERMS AND CONDITIONS
 72 | 
 73 |   0. Definitions.
 74 | 
 75 |   "This License" refers to version 3 of the GNU General Public License.
 76 | 
 77 |   "Copyright" also means copyright-like laws that apply to other kinds of
 78 | works, such as semiconductor masks.
 79 | 
 80 |   "The Program" refers to any copyrightable work licensed under this
 81 | License.  Each licensee is addressed as "you".  "Licensees" and
 82 | "recipients" may be individuals or organizations.
 83 | 
 84 |   To "modify" a work means to copy from or adapt all or part of the work
 85 | in a fashion requiring copyright permission, other than the making of an
 86 | exact copy.  The resulting work is called a "modified version" of the
 87 | earlier work or a work "based on" the earlier work.
 88 | 
 89 |   A "covered work" means either the unmodified Program or a work based
 90 | on the Program.
 91 | 
 92 |   To "propagate" a work means to do anything with it that, without
 93 | permission, would make you directly or secondarily liable for
 94 | infringement under applicable copyright law, except executing it on a
 95 | computer or modifying a private copy.  Propagation includes copying,
 96 | distribution (with or without modification), making available to the
 97 | public, and in some countries other activities as well.
 98 | 
 99 |   To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies.  Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 | 
103 |   An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License.  If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 | 
112 |   1. Source Code.
113 | 
114 |   The "source code" for a work means the preferred form of the work
115 | for making modifications to it.  "Object code" means any non-source
116 | form of a work.
117 | 
118 |   A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 | 
123 |   The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form.  A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 | 
134 |   The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities.  However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work.  For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 | 
147 |   The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 | 
151 |   The Corresponding Source for a work in source code form is that
152 | same work.
153 | 
154 |   2. Basic Permissions.
155 | 
156 |   All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met.  This License explicitly affirms your unlimited
159 | permission to run the unmodified Program.  The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work.  This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 | 
164 |   You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force.  You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright.  Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 | 
175 |   Conveying under any other circumstances is permitted solely under
176 | the conditions stated below.  Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 | 
179 |   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 | 
181 |   No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 | 
187 |   When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 | 
195 |   4. Conveying Verbatim Copies.
196 | 
197 |   You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 | 
205 |   You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 | 
208 |   5. Conveying Modified Source Versions.
209 | 
210 |   You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 | 
214 |     a) The work must carry prominent notices stating that you modified
215 |     it, and giving a relevant date.
216 | 
217 |     b) The work must carry prominent notices stating that it is
218 |     released under this License and any conditions added under section
219 |     7.  This requirement modifies the requirement in section 4 to
220 |     "keep intact all notices".
221 | 
222 |     c) You must license the entire work, as a whole, under this
223 |     License to anyone who comes into possession of a copy.  This
224 |     License will therefore apply, along with any applicable section 7
225 |     additional terms, to the whole of the work, and all its parts,
226 |     regardless of how they are packaged.  This License gives no
227 |     permission to license the work in any other way, but it does not
228 |     invalidate such permission if you have separately received it.
229 | 
230 |     d) If the work has interactive user interfaces, each must display
231 |     Appropriate Legal Notices; however, if the Program has interactive
232 |     interfaces that do not display Appropriate Legal Notices, your
233 |     work need not make them do so.
234 | 
235 |   A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit.  Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 | 
245 |   6. Conveying Non-Source Forms.
246 | 
247 |   You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 | 
252 |     a) Convey the object code in, or embodied in, a physical product
253 |     (including a physical distribution medium), accompanied by the
254 |     Corresponding Source fixed on a durable physical medium
255 |     customarily used for software interchange.
256 | 
257 |     b) Convey the object code in, or embodied in, a physical product
258 |     (including a physical distribution medium), accompanied by a
259 |     written offer, valid for at least three years and valid for as
260 |     long as you offer spare parts or customer support for that product
261 |     model, to give anyone who possesses the object code either (1) a
262 |     copy of the Corresponding Source for all the software in the
263 |     product that is covered by this License, on a durable physical
264 |     medium customarily used for software interchange, for a price no
265 |     more than your reasonable cost of physically performing this
266 |     conveying of source, or (2) access to copy the
267 |     Corresponding Source from a network server at no charge.
268 | 
269 |     c) Convey individual copies of the object code with a copy of the
270 |     written offer to provide the Corresponding Source.  This
271 |     alternative is allowed only occasionally and noncommercially, and
272 |     only if you received the object code with such an offer, in accord
273 |     with subsection 6b.
274 | 
275 |     d) Convey the object code by offering access from a designated
276 |     place (gratis or for a charge), and offer equivalent access to the
277 |     Corresponding Source in the same way through the same place at no
278 |     further charge.  You need not require recipients to copy the
279 |     Corresponding Source along with the object code.  If the place to
280 |     copy the object code is a network server, the Corresponding Source
281 |     may be on a different server (operated by you or a third party)
282 |     that supports equivalent copying facilities, provided you maintain
283 |     clear directions next to the object code saying where to find the
284 |     Corresponding Source.  Regardless of what server hosts the
285 |     Corresponding Source, you remain obligated to ensure that it is
286 |     available for as long as needed to satisfy these requirements.
287 | 
288 |     e) Convey the object code using peer-to-peer transmission, provided
289 |     you inform other peers where the object code and Corresponding
290 |     Source of the work are being offered to the general public at no
291 |     charge under subsection 6d.
292 | 
293 |   A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 | 
297 |   A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling.  In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage.  For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product.  A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 | 
310 |   "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source.  The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 | 
318 |   If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information.  But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 | 
329 |   The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed.  Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 | 
337 |   Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 | 
343 |   7. Additional Terms.
344 | 
345 |   "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law.  If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 | 
354 |   When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it.  (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.)  You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 | 
361 |   Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 | 
365 |     a) Disclaiming warranty or limiting liability differently from the
366 |     terms of sections 15 and 16 of this License; or
367 | 
368 |     b) Requiring preservation of specified reasonable legal notices or
369 |     author attributions in that material or in the Appropriate Legal
370 |     Notices displayed by works containing it; or
371 | 
372 |     c) Prohibiting misrepresentation of the origin of that material, or
373 |     requiring that modified versions of such material be marked in
374 |     reasonable ways as different from the original version; or
375 | 
376 |     d) Limiting the use for publicity purposes of names of licensors or
377 |     authors of the material; or
378 | 
379 |     e) Declining to grant rights under trademark law for use of some
380 |     trade names, trademarks, or service marks; or
381 | 
382 |     f) Requiring indemnification of licensors and authors of that
383 |     material by anyone who conveys the material (or modified versions of
384 |     it) with contractual assumptions of liability to the recipient, for
385 |     any liability that these contractual assumptions directly impose on
386 |     those licensors and authors.
387 | 
388 |   All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10.  If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term.  If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 | 
398 |   If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 | 
403 |   Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 | 
407 |   8. Termination.
408 | 
409 |   You may not propagate or modify a covered work except as expressly
410 | provided under this License.  Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 | 
415 |   However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 | 
422 |   Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 | 
429 |   Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License.  If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 | 
435 |   9. Acceptance Not Required for Having Copies.
436 | 
437 |   You are not required to accept this License in order to receive or
438 | run a copy of the Program.  Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance.  However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work.  These actions infringe copyright if you do
443 | not accept this License.  Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 | 
446 |   10. Automatic Licensing of Downstream Recipients.
447 | 
448 |   Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License.  You are not responsible
451 | for enforcing compliance by third parties with this License.
452 | 
453 |   An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations.  If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 | 
463 |   You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License.  For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 | 
471 |   11. Patents.
472 | 
473 |   A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based.  The
475 | work thus licensed is called the contributor's "contributor version".
476 | 
477 |   A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version.  For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 | 
487 |   Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 | 
492 |   In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement).  To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 | 
499 |   If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients.  "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 | 
513 |   If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 | 
521 |   A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License.  You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 | 
536 |   Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 | 
540 |   12. No Surrender of Others' Freedom.
541 | 
542 |   If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License.  If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all.  For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 | 
552 |   13. Use with the GNU Affero General Public License.
553 | 
554 |   Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work.  The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 | 
563 |   14. Revised Versions of this License.
564 | 
565 |   The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time.  Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 | 
570 |   Each version is given a distinguishing version number.  If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation.  If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 | 
579 |   If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 | 
584 |   Later license versions may give you additional or different
585 | permissions.  However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 | 
589 |   15. Disclaimer of Warranty.
590 | 
591 |   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 | 
600 |   16. Limitation of Liability.
601 | 
602 |   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 | 
612 |   17. Interpretation of Sections 15 and 16.
613 | 
614 |   If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 | 
621 |                      END OF TERMS AND CONDITIONS
622 | 
623 |             How to Apply These Terms to Your New Programs
624 | 
625 |   If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 | 
629 |   To do so, attach the following notices to the program.  It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 | 
634 |     <one line to give the program's name and a brief idea of what it does.>
635 |     Copyright (C) <year>  <name of author>
636 | 
637 |     This program is free software: you can redistribute it and/or modify
638 |     it under the terms of the GNU General Public License as published by
639 |     the Free Software Foundation, either version 3 of the License, or
640 |     (at your option) any later version.
641 | 
642 |     This program is distributed in the hope that it will be useful,
643 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
644 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
645 |     GNU General Public License for more details.
646 | 
647 |     You should have received a copy of the GNU General Public License
648 |     along with this program.  If not, see <https://www.gnu.org/licenses/>.
649 | 
650 | Also add information on how to contact you by electronic and paper mail.
651 | 
652 |   If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 | 
655 |     <program>  Copyright (C) <year>  <name of author>
656 |     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 |     This is free software, and you are welcome to redistribute it
658 |     under certain conditions; type `show c' for details.
659 | 
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License.  Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 | 
664 |   You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | <https://www.gnu.org/licenses/>.
668 | 
669 |   The GNU General Public License does not permit incorporating your program
670 | into proprietary programs.  If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library.  If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License.  But first, please read
674 | <https://www.gnu.org/licenses/why-not-lgpl.html>.
675 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # ilo4_unlock (Silence of the Fans)
  2 | A toolkit for patching HPE's iLO 4 firmware with access to previously inaccessible utilities.
  3 | 
  4 | Specifically, firmware is patched with the ability to access new commands via SSH, relating to system health (`h`), fan tuning (`fan`), on-board temperature sensors (`ocsd`), and option chip health systems (`ocbb`). Designed for [/r/homelab](https://reddit.com/r/homelab) users, this modified firmware provides administrators with the ability to adjust HP's aggressive fan curves on iLO4-equipped servers (such as DL380p / DL380p Gen 8 & Gen 9). Another common use case is to prevent server fans from maxing out when a non-HPE certified PCI-e card is used in a system.
  5 | 
  6 | **Please note: At this time, v2.77 is the most recent iLO that has a working patch. After this version, HP has removed many of the control utilities that make patching v2.78 and v2.79 useful. While this may change in the future, bringing useful tools to v2.79 (the current latest) will take an extremely large amount of work. The patching works fine here, it just does not provide access to useful functions**
  7 | 
  8 | ## Legal
  9 | There is risk for potential damage to your system when utilizing this code. If an error occurs during flashing, or you end up flashing corrupted firmware, the iLO will not be able to recover itself. The iLO's flash chip cannot be programmed on-board, and must be fully desoldered and reprogrammed to recover the functionality. Additionally, utilizing the included new features may cause your server to overheat or otherwise suffer damage. Do not proceed with installing this firmware if you don't know what you're doing. **You have been warned**. There is no warranty for this code nor will I be responsible for any damage you cause. I have personally only tested this firmware on my DL380p Gen8, and DL380e Gen8.
 10 | 
 11 | This repo does not contain any iLO 4 binaries; unmodified or patched as they are owned by HP. Websites have, in the past, been served with cease and desist orders from HP for hosting iLO binaries. For security purposes, I encourage you to follow the steps listed to build the patched version of the iLO yourself, while verifying the contents of the patched code.
 12 | 
 13 | ## Getting Started
 14 | Python 2.7 is required. I built everything on CentOS 8; Other OS/environments might have different requirements. If your setup takes extra effort, please let me know and I'll document it.
 15 | 
 16 | _pro tip! if you're doing this all on a Live CD to flash, make sure you disable iLO security first, or you'll have to restart. See Flashing Firmware for more info_
 17 | 
 18 | Here is my setup for my Ubuntu 22.04 Live CD (as of 2024-12-12):
 19 | ```bash
 20 | sudo apt-add-repository universe
 21 | sudo apt update
 22 | sudo apt-get install python2-minimal git curl
 23 | curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py && sudo python2 get-pip.py
 24 | python2 -m pip install virtualenv
 25 | git clone --recurse-submodules https://github.com/kendallgoto/ilo4_unlock.git
 26 | cd ilo4_unlock
 27 | python2 -m virtualenv venv
 28 | source venv/bin/activate
 29 | pip install -r requirements.txt
 30 | ```
 31 | 
 32 | ## Building Firmware
 33 | ``` bash
 34 | ./build.sh init # download necessary HPE binaries
 35 | #./build.sh [patch-name] -- see patches/ folder for more info on each patch!
 36 | ./build.sh 277  # generate iLO v2.77 patched firmware
 37 | # The build setup creates a build/ folder where all the artifacts are stored. The final firmware location will be printed at the end of the script, if no errors are produced.
 38 | ```
 39 | ## Flashing Firmware
 40 | The resulting firmware is located in the `build` directory, under the firmware's name (e.g. `build/ilo4_273.bin.patched` for v2.73 builds). I suggest the following steps to flash the firmware, as you cannot do it from the web interface:
 41 | 1. Copy the resulting firmware to a USB key, along with the flasher files (`binaries/flash_ilo4` & `binaries/CP027911.xml`)
 42 | 2. Remove power from your server, and enable iLO4 Security Override (for me, this was flipping the first DIP switch on the board).
 43 | 3. Boot your server from a baremetal Linux install -- a Ubuntu LiveCD works well.
 44 | 4. Ensure any HP modules are unloaded (`sudo modprobe -r hpilo`)
 45 | 5. Plug in the USB key, rename the firmware to `ilo4_250.bin`, then run `sudo ./flash_ilo4 --direct` to patch your server.
 46 | 6. Resist the urge to unplug the system and break everything while flashing. **It will be loud**. It took 2 minutes to erase, and 1 minute to flash.
 47 | 7. After patching, shut down and remove power from the server to disable the iLO4 security override.
 48 | 
 49 | Following the Getting Started steps, here's what I did after building:
 50 | ```bash
 51 | sudo modprobe -r hpilo
 52 | mkdir -p flash
 53 | cp binaries/flash_ilo4 binaries/CP027911.xml flash/
 54 | cp build/ilo4_277.bin.patched flash/ilo4_250.bin
 55 | cd flash
 56 | sudo ./flash_ilo4 --direct
 57 | # wait until the fans spin down ...
 58 | sudo shutdown now # remove power and disable the security override after shutting down!
 59 | ```
 60 | 
 61 | ## Use
 62 | ```
 63 | FAN:
 64 | Usage:
 65 | 
 66 |   info [t|h|a|g|p]
 67 |                 - display information about the fan controller
 68 |                   or individual information.
 69 |   g             - configure the 'global' section of the fan controller
 70 |   g smsc|start|stop|status
 71 |           start - start the iLO fan controller
 72 |           stop - stop the iLO fan controller
 73 |           smsc - configure the SMSC for manual control
 74 |        ro|rw|nc - set the RO, RW, NC (no_commit) options
 75 |     (blank)     - shows current status
 76 |   t             - configure the 'temperature' section of the fan controller
 77 |   t N on|off|adj|hyst|caut|crit|access|opts|set|unset
 78 |              on - enable temperature sensor
 79 |             off - disable temperature sensor
 80 |             adj - set ADJUSTMENT/OFFSET
 81 |       set/unset - set or clear a fixed simulated temp (also 'fan t set/unset' for show/clear all)
 82 |            hyst - set hysteresis for sensor
 83 |            caut - set CAUTION threshold
 84 |            crit - set CRITICAL threshold
 85 |          access - set ACCESS method for sensor (should be followed by 5 BYTES)
 86 |            opts - set the OPTION field
 87 |   h             - configure the 'tacHometers' section of the fan controller
 88 |   h N on|off|min|hyst|access
 89 |              on - enable sensor N
 90 |             off - disable sensor N
 91 |             min - set MINIMUM tach threshold
 92 |            hyst - set hysteresis
 93 |  grp ocsd|show  - show grouping parameters with OCSD impacts
 94 |   p             - configure the PWM configuration
 95 |   p N on|off|min|max|hyst|blow|pctramp|zero|feton|bon|boff|status|lock X|unlock|tickler|fix|fet|access
 96 |              on - enable (toggle) specified PWM
 97 |             off - disable (toggle) specified PWM
 98 |             min - set MINIMUM speed
 99 |             max - set MAXIMUM speed
100 |            blow - set BLOWOUT speed
101 |             pct - set the PERCETNAGE blowout bits
102 |            ramp - set the RAMP register
103 |            zero - set the force ZEROP bit on/off
104 |           feton - set the FET 'for off' bit on/off
105 |             bon - set BLOWOUT on
106 |            boff - set BLOWOUT off
107 |          status - set STATUS register
108 |            lock - set LOCK speed and set LOCK bit
109 |          unlock - clear the LOCK bit
110 |         tickler - set TICKLER bit on/off - tickles fans even if FAN is stopped
111 |   pid           - configure the PID algorithm
112 |   pid N p|i|d|sp|imin|imax|lo|hi  - configure PID paramaters
113 |                                   - * Use correct FORMAT for numbers!
114 |              p - set the PROPORTIONAL gain
115 |              i - set the INTEGRAL gain
116 |              d - set the DERIVATIVE gain
117 |             sp - set SETPOINT
118 |           imin - set I windup MIN value
119 |           imax - set I windup MAX value
120 |             lo - set output LOW limit
121 |             hi - set output HIGH lmit
122 |  MISC
123 |   rate X        - Change rate to X ms polling (default 3000)
124 |   ramp          - Force a RAMP condition
125 |   dump          - Dump all the fan registers in raw HEX format
126 |   hyst h v1..vN - Perform a test hysteresis with supplied numbers
127 |   desc <0>..<15> - try to decode then execute raw descriptor bytes (5 or 16)
128 |   actn <0>..<15> - try to decode then execute raw action bytes (5 or 16)
129 |   debug trace|t X|h X|a X|g X|p X|off|on
130 |                 - Set the fine control values for the fan FYI level
131 |   DIMM          - DIMM-specific subcommand handler
132 |   DRIVE         - Drive temperature subcommand handler
133 |   MB            - Memory buffer subcommand handler
134 |   PECI          - PECI subcommand handler
135 |  AWAITING DOCUMENTAION
136 |   ms  - multi-segment info
137 |   a N  - algorithms - set parameters for multi-segment.
138 |   w   - weighting
139 | ```
140 | See the [scripts/](scripts/) folder as well.
141 | For info about the lesser used functions, please refer to the relevant reading. I don't use them, so I haven't documented them.
142 | 
143 | ## Getting Involved
144 | Want to get involved? Check out [here](CONTRIBUTING.md)!
145 | 
146 | ## Credits
147 | - Thanks to the work of [Airbus Security Lab](https://github.com/airbus-seclab/ilo4_toolbox); whose previous work exploring iLO 4 & 5 was instrumental in allowing the development of modified iLO firmware.
148 | - And to [/u/phoenixdev](https://www.reddit.com/user/phoenixdev), whose original work on iLO4 v2.60 and v2.73 allowed for fans to be controlled in the first place.  
149 | This repository utilizes modified code from the iLO4 Toolbox. The toolkit invokes code directly from the iLO4 Toolbox, as well as includes modified versions of Airbus Security Lab's original patching code to perform the necessary patches. It also utilizes code originally written by [/u/phoenixdev](https://www.reddit.com/user/phoenixdev) that was reverse-engineered from their patched v2.73 iLO4 firmware.
150 | 
151 | The full documentation on how this code base was derived is fully detailed [in the research/ folder](research/readme.md).
152 | 
153 | ## Relevant Reading & Prior Work
154 | [2019-10-02 /u/phoenixdev's preliminary writeup](https://www.reddit.com/r/homelab/comments/dc7dbc/silence_of_the_fans_preliminary_success_with/)  
155 | [2019-10-15 /u/phoenixdev's first release for v2.60](https://www.reddit.com/r/homelab/comments/di3vrk/silence_of_the_fans_controlling_hp_server_fans/)  
156 | [2020-06-30 /u/phoenixdev's second release for v2.73](https://www.reddit.com/r/homelab/comments/di3vrk/silence_of_the_fans_controlling_hp_server_fans/)  
157 | [Airbus Security Lab's iLO4 Toolbox](https://github.com/airbus-seclab/ilo4_toolbox)  
158 | [Airbus Security Lab's "Subverting your server through its BMC: the HPE iLO4 case" (written version)](https://airbus-seclab.github.io/ilo/SSTIC2018-Article-subverting_your_server_through_its_bmc_the_hpe_ilo4_case-gazet_perigaud_czarny.pdf)  
159 | [Airbus Security Lab's "Subverting your server through its BMC: the HPE iLO4 case" (presented version)](https://airbus-seclab.github.io/ilo/RECONBRX2018-Slides-Subverting_your_server_through_its_BMC_the_HPE_iLO4_case-perigaud-gazet-czarny.pdf)  
160 | 


--------------------------------------------------------------------------------
/automatic.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | #
 3 | # This file is part of ilo4_unlock (https://github.com/kendallgoto/ilo4_unlock/).
 4 | # Copyright (c) 2022 Kendall Goto.
 5 | #
 6 | # This program is free software: you can redistribute it and/or modify
 7 | # it under the terms of the GNU General Public License as published by
 8 | # the Free Software Foundation, version 3.
 9 | #
10 | # This program is distributed in the hope that it will be useful, but
11 | # WITHOUT ANY WARRANTY; without even the implied warranty of
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 | # General Public License for more details.
14 | #
15 | # You should have received a copy of the GNU General Public License
16 | # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 | 
18 | # NOTE: This code isn't necessarily safe! It's my personal notes for everything That
19 | # I had to do to patch my server from a Ubuntu 21.10 Live CD on 2/20/2022.
20 | # On a server, you can run this with
21 | # wget https://raw.githubusercontent.com/kendallgoto/ilo4_unlock/main/automatic.sh && chmod +x automatic.sh && ./automatic.sh
22 | set -e
23 | sudo apt-add-repository -y universe
24 | sudo apt update
25 | sudo apt-get install -y python2-minimal git curl
26 | curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py && sudo python2 get-pip.py
27 | python2 -m pip install virtualenv
28 | git clone --recurse-submodules https://github.com/kendallgoto/ilo4_unlock.git
29 | cd ilo4_unlock
30 | python2 -m virtualenv venv
31 | source venv/bin/activate
32 | pip install -r requirements.txt
33 | ./build.sh init
34 | ./build.sh latest
35 | 
36 | sudo modprobe -r hpilo
37 | mkdir -p flash
38 | cp binaries/flash_ilo4 binaries/CP027911.xml flash/
39 | cp build/ilo4_*.bin.patched flash/ilo4_250.bin
40 | 
41 | cd flash
42 | cwd=$(pwd)
43 | 
44 | echo "Ready to flash! Run sudo ./flash_ilo4 --direct inside $CWD"
45 | 


--------------------------------------------------------------------------------
/build.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | #
  3 | # This file is part of ilo4_unlock (https://github.com/kendallgoto/ilo4_unlock/).
  4 | # Copyright (c) 2022 Kendall Goto.
  5 | #
  6 | # This program is free software: you can redistribute it and/or modify
  7 | # it under the terms of the GNU General Public License as published by
  8 | # the Free Software Foundation, version 3.
  9 | #
 10 | # This program is distributed in the hope that it will be useful, but
 11 | # WITHOUT ANY WARRANTY; without even the implied warranty of
 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 13 | # General Public License for more details.
 14 | #
 15 | # You should have received a copy of the GNU General Public License
 16 | # along with this program. If not, see <http://www.gnu.org/licenses/>.
 17 | exit_help() {
 18 |     echo "usage: \"$0 <init/latest/patch-name>\""
 19 |     echo "       \"$0 init\" to download binaries on a new install"
 20 |     echo "       \"$0 latest\" to automatically build the latest target"
 21 |     echo "       \"$0 [patch-name]\" to directly build a patch from patches/"
 22 |     exit 1
 23 | }
 24 | check_hash() {
 25 | 	HASH=`sha1sum "$1" | cut -d' ' -f1`
 26 | 	if [ "$HASH" != "$2" ]; then
 27 | 		echo "Binary hash mismatch ... please init again."
 28 | 		exit 1
 29 | 	fi
 30 |     echo "Hash validated for $1"
 31 | }
 32 | build_process() {
 33 |     ROOT_DIR=`git rev-parse --show-toplevel`
 34 |     SCRIPT_DIR="$ROOT_DIR/ilo4_toolbox/scripts/iLO4"
 35 |     UTIL_DIR="$ROOT_DIR/util"
 36 |     BUILD_LOC=$(realpath "$3")
 37 |     DIR=`dirname $1`
 38 |     FIRMWARE="$2"
 39 |     DEST="$BUILD_LOC/$(basename "$FIRMWARE").patched"
 40 | 
 41 |     rm -rf "$BUILD_LOC"
 42 | 
 43 |     echo "Extracting with iLO4 Toolbox ..."
 44 |     python "$SCRIPT_DIR/ilo4_extract.py" "$FIRMWARE" "$BUILD_LOC" &> /dev/null
 45 |     echo "Patching bootloader ..."
 46 |     python "$UTIL_DIR/patch.py" "$BUILD_LOC/bootloader.bin" "$DIR/patch_bootloader.json" "$BUILD_LOC/bootloader.bin.patched"
 47 |     echo "Patching kernel ..."
 48 |     python "$UTIL_DIR/patch.py" "$BUILD_LOC/kernel_main.bin" "$DIR/patch_kernel.json" "$BUILD_LOC/kernel_main.bin.patched"
 49 |     echo "Patching userland ..."
 50 |     python "$UTIL_DIR/patch.py" "$BUILD_LOC/elf.bin" "$DIR/patch_userland.json" "$BUILD_LOC/elf.bin.patched"
 51 | 
 52 |     echo "Repacking with iLO4 Toolbox ..."
 53 |     python "$SCRIPT_DIR/ilo4_repack.py" "$FIRMWARE" "$BUILD_LOC/firmware.map" "$BUILD_LOC/elf.bin.patched" "$BUILD_LOC/kernel_main.bin.patched" "$BUILD_LOC/bootloader.bin.patched" &> /dev/null
 54 |     mv "$FIRMWARE.backdoored.toflash" "$DEST"
 55 | 
 56 |     echo "Final firmware at $3/$(basename "$DEST")"
 57 | }
 58 | run_patch() {
 59 |     PATCH_PATH="patches/$1"
 60 |     if [ -f "$PATCH_PATH/config" ]; then
 61 |         source "$PATCH_PATH/config"
 62 |         BIN_PATH="binaries/$BINARY_NAME"
 63 |         check_hash "$BIN_PATH" "$BINARY_SHA1"
 64 |         build_process "$PATCH_PATH/config" "$BIN_PATH" "build"
 65 |         #./$PATCH_PATH/build.sh "$BIN_PATH" "build"
 66 |         check_hash "build/$BINARY_NAME.patched" "$RESULT_SHA1"
 67 |         exit 0
 68 |     else
 69 |         exit_help
 70 |     fi
 71 | }
 72 | do_init() {
 73 | 	echo "Downloading binaries ..."
 74 | 	rm -rf binaries/
 75 | 	mkdir -p binaries/
 76 | 	for d in patches/* ; do
 77 | 		if [ -d "$d" ]; then
 78 |             if [ -f "$d/config" ]; then
 79 |                 source "$d/config"
 80 |                 if [ -f "./binaries/$BINARY_NAME" ]; then
 81 |                     echo "Binary $BINARY_NAME already downloaded ..."
 82 |                 else
 83 |                     echo "Downloading $BINARY_URL as $BINARY_NAME"
 84 |                     wget -O temp.csexe -q $BINARY_URL
 85 |                     sh temp.csexe --unpack=archivetemp > /dev/null
 86 |                     cp archivetemp/ilo4_*.bin "./binaries/$BINARY_NAME"
 87 |                     if [ "$NAME" = "250" ]; then
 88 |                         cp archivetemp/flash_ilo4 archivetemp/CP027911.xml ./binaries/
 89 |                     fi
 90 |                     rm -rf archivetemp
 91 |                     rm temp.csexe
 92 |                     check_hash "binaries/$BINARY_NAME" "$BINARY_SHA1"
 93 |                 fi
 94 |             fi
 95 | 		fi
 96 | 	done
 97 | 	echo "Downloaded binaries to to ./binaries"
 98 | 	ls -al binaries
 99 | 	exit 0
100 | }
101 | get_latest() {
102 |     latest_patch=`cat ./patches/latest`
103 |     run_patch $latest_patch
104 | }
105 | 
106 | # Runtime
107 | if [ $# -ne 1 ]; then
108 |     exit_help
109 | fi
110 | set -e
111 | 
112 | 
113 | cd "${0%/*}" # cd to script location
114 | 
115 | case $1 in
116 | 	init)
117 | 		do_init
118 | ;;
119 |     "latest")
120 |         get_latest
121 | ;;
122 | 	*)
123 | 		run_patch $1
124 | ;;
125 | esac
126 | 


--------------------------------------------------------------------------------
/misc/dissect.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | #
 3 | # This file is part of the ilo4_unlock (https://github.com/kendallgoto/ilo4_unlock/).
 4 | # Copyright (c) 2022 Kendall Goto.
 5 | #
 6 | # This program is free software: you can redistribute it and/or modify
 7 | # it under the terms of the GNU General Public License as published by
 8 | # the Free Software Foundation, version 3.
 9 | #
10 | # This program is distributed in the hope that it will be useful, but
11 | # WITHOUT ANY WARRANTY; without even the implied warranty of
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 | # General Public License for more details.
14 | #
15 | # You should have received a copy of the GNU General Public License
16 | # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 | set -e
18 | 
19 | cd "${0%/*}" # cd to script location
20 | cd ../
21 | cp build/elf.bin.patched ilo4_toolbox/scripts/iLO4/elf.bin
22 | cd ilo4_toolbox/scripts/iLO4/
23 | rm -rf mods loaders scripts
24 | ruby dissection.rb elf.bin
25 | zip -r dissect.zip mods loaders scripts
26 | cd ../../../
27 | cp ilo4_toolbox/scripts/iLO4/dissect.zip build/dissect.zip
28 | 


--------------------------------------------------------------------------------
/misc/extract-after-compile.py:
--------------------------------------------------------------------------------
  1 | # Derived from https://github.com/airbus-seclab/ilo4_toolbox
  2 | 
  3 | # This script works like the default ilo4_extract script, but
  4 | # it's been retooled to extract a working elf.bin from a final patched
  5 | # binary generated by ilo4_toolbox -- I used it to extract the final
  6 | # 273.bin.fancommands binary into something I could diff in Ida
  7 | 
  8 | #!/usr/bin/python
  9 | 
 10 | import os
 11 | import sys
 12 | import json
 13 | from ilo4 import *
 14 | from struct import unpack_from
 15 | from collections import OrderedDict
 16 | 
 17 | 
 18 | BEGIN_SIGN = "--=</Begin HP Signed File Fingerprint\>=--\n"
 19 | END_SIGN = "--=</End HP Signed File Fingerprint\>=--\n"
 20 | BEGIN_CERT = "-----BEGIN CERTIFICATE-----\n"
 21 | END_CERT = "-----END CERTIFICATE-----\n"
 22 | 
 23 | IMG_LIST = ["elf", "kernel_main", "kernel_recovery"]
 24 | 
 25 | HPIMAGE_HDR_SIZE = 0x4A0
 26 | BOOTLOADER_HDR_SIZE = 0x440
 27 | IMG_HDR_SIZE = 0x440
 28 | 
 29 | 
 30 | if len(sys.argv) != 3:
 31 |     print "usage: %s <filename> <outdir>"
 32 |     sys.exit(1)
 33 | 
 34 | filename = sys.argv[1]
 35 | outdir = sys.argv[2]
 36 | 
 37 | if not os.path.exists(outdir):
 38 |     os.makedirs(outdir)
 39 | 
 40 | with open(filename, "rb") as fff:
 41 |     data = fff.read()
 42 | 
 43 | offsets_map = OrderedDict()
 44 | global_offset = 0
 45 | 
 46 | # data starts at
 47 | # 01 00 00 00 29 32 EC AE CC 69 D8 43 BD 0E 61 DC 34 06 F7 1B 00 00 00 00
 48 | # have to add this to top of function
 49 | targetListsize = unpack_from("<L", data)[0]
 50 | 
 51 | print "\n[+] iLO target list: %x element(s)" % (targetListsize)
 52 | 
 53 | data = data[4:]
 54 | global_offset += 4
 55 | 
 56 | for i in range(targetListsize):
 57 |     raw = data[:0x10]
 58 |     dev = ""
 59 |     id = uuid.UUID(raw.encode("hex"))
 60 |     if id in TARGETS:
 61 |         dev = TARGETS[id]
 62 | 
 63 |     print "    target 0x%x (%s)" % (i, dev)
 64 |     print hexdump(raw)
 65 | 
 66 |     if dev == "":
 67 |         print "[x] unknown target"
 68 |         sys.exit(0)
 69 | 
 70 |     data = data[0x10:]
 71 |     global_offset += 0x10
 72 | 
 73 | data = data[4:]
 74 | global_offset += 4
 75 | 
 76 | print hexdump(data[0:100])
 77 | #------------------------------------------------------------------------------
 78 | # get signature: should be iLO3, iLO4 or iLO5
 79 | 
 80 | ilo_sign = data[:4]
 81 | ilo_bootloader_header = data[:BOOTLOADER_HDR_SIZE]
 82 | ilo_bootloader_footer = data[-0x40:]
 83 | print ilo_sign
 84 | data = data[BOOTLOADER_HDR_SIZE:]
 85 | offsets_map["BOOTLOADER_HDR"] = global_offset
 86 | global_offset += BOOTLOADER_HDR_SIZE
 87 | 
 88 | print "[+] iLO bootloader header : %s" % (ilo_bootloader_header[:0x1a])
 89 | 
 90 | with open(outdir + "/bootloader.hdr", "wb") as fff:
 91 |     fff.write(ilo_bootloader_header)
 92 | 
 93 | bootloader_header = BootloaderHeader.from_buffer_copy(ilo_bootloader_header)
 94 | bootloader_header.dump()
 95 | 
 96 | with open(outdir + "/bootloader.sig", "wb") as fff:
 97 |     fff.write(bootloader_header.to_str(bootloader_header.signature))
 98 | 
 99 | 
100 | #------------------------------------------------------------------------------
101 | # extract Bootloader footer and cryptographic parameters
102 | 
103 | print "[+] iLO Bootloader footer : %s" % (ilo_bootloader_footer[:0x1a])
104 | 
105 | bootloader_footer = BootloaderFooter.from_buffer_copy(ilo_bootloader_footer)
106 | bootloader_footer.dump()
107 | 
108 | total_size = bootloader_header.total_size
109 | 
110 | print "\ntotal size:    0x%08x" % total_size
111 | print "payload size:  0x%08x" % len(data)
112 | print "kernel offset: 0x%08x\n" % bootloader_footer.kernel_offset
113 | 
114 | offsets_map["BOOTLOADER"] = global_offset + total_size - bootloader_footer.kernel_offset - BOOTLOADER_HDR_SIZE
115 | ilo_bootloader = data[-bootloader_footer.kernel_offset:-BOOTLOADER_HDR_SIZE]
116 | 
117 | with open(outdir + "/bootloader.bin", "wb") as fff:
118 |     fff.write(ilo_bootloader)
119 | 
120 | data = data[:total_size-BOOTLOADER_HDR_SIZE]
121 | print hexdump(data[0:100])
122 | ilo_crypto_params = data[len(data)-((~bootloader_footer.sig_offset + 1) & 0xFFFF): len(data)-0x40]
123 | 
124 | with open(outdir + "/sign_params.raw", "wb") as fff:
125 |     fff.write(ilo_crypto_params)
126 | 
127 | crypto_params = SignatureParams.from_buffer_copy(ilo_crypto_params)
128 | crypto_params.dump()
129 | 
130 | 
131 | #------------------------------------------------------------------------------
132 | # extract images
133 | 
134 | ilo_num = 0
135 | 
136 | off = data.find(ilo_sign)
137 | 
138 | while off >= 0:
139 |     print hexdump(data[:400])
140 |     # skip padding
141 |     if data[:off] != "\xff" * off:
142 |         with open(outdir + "/failed_assert.bin", "wb") as fff:
143 |             fff.write(data)
144 | 
145 |     assert(data[:off] == "\xff" * off)
146 |     data = data[off:]
147 |     global_offset += off
148 | 
149 |     # extract header
150 |     ilo_header = data[:IMG_HDR_SIZE]
151 |     data = data[IMG_HDR_SIZE:]
152 | 
153 |     with open(outdir + "/%s.hdr" % IMG_LIST[ilo_num], "wb") as fff:
154 |         fff.write(ilo_header)
155 | 
156 |     print "[+] iLO Header %d: %s" % (ilo_num, ilo_header[:0x1a])
157 | 
158 |     img_header = ImgHeader.from_buffer_copy(ilo_header)
159 |     img_header.dump()
160 | 
161 |     with open(outdir + "/%s.sig" % IMG_LIST[ilo_num], "wb") as fff:
162 |         fff.write(img_header.to_str(img_header.signature))
163 | 
164 |     payload_size = img_header.raw_size - IMG_HDR_SIZE
165 | 
166 |     data1 = data[:payload_size]
167 |     data = data[payload_size:]
168 | 
169 |     # insert img into offsets map
170 |     offsets_map["%s_HDR" % IMG_LIST[ilo_num].upper()] = global_offset
171 |     global_offset += IMG_HDR_SIZE
172 |     offsets_map["%s" % IMG_LIST[ilo_num].upper()] = global_offset
173 |     global_offset += payload_size
174 | 
175 |     psz, = unpack_from("<L", data1)
176 |     print hexdump(data1[0:100])
177 |     print psz
178 |     data1 = data1[4:]
179 |     assert(psz == payload_size-4)
180 |     assert(psz == len(data1))
181 | 
182 |     window = ['\0'] * 0x1000
183 |     wchar = 0
184 | 
185 |     with open(outdir + "/%s.raw" % IMG_LIST[ilo_num], "wb") as fff:
186 |         fff.write(data1)
187 | 
188 |     print "[+] Decompressing"
189 | 
190 |     output_size = decompress_all(data1, outdir + "/%s.bin" % IMG_LIST[ilo_num])
191 |     print "    decompressed size : 0x%08x\n" % (output_size)
192 | 
193 |     print "[+] Extracted %s.bin" % IMG_LIST[ilo_num]
194 | 
195 |     off = data.find(ilo_sign)
196 |     print off
197 |     print hexdump(data[0:100])
198 | 
199 |     ilo_num += 1
200 |     if ilo_num == 3:
201 |         break
202 | 
203 | 
204 | #------------------------------------------------------------------------------
205 | # output offsets map
206 | 
207 | print "[+] Firmware offset map"
208 | for part, offset in offsets_map.iteritems():
209 |     print "  > %20s at 0x%08x" % (part, offset)
210 | 
211 | with open(outdir + "/firmware.map", "wb") as fff:
212 |     fff.write(json.dumps(offsets_map, sort_keys=True, indent=4, separators=(',', ': ')))
213 | 
214 | print "\n> done\n"
215 | 


--------------------------------------------------------------------------------
/patches/250/config:
--------------------------------------------------------------------------------
1 | NAME="250"
2 | BINARY_NAME="ilo4_250.bin"
3 | BINARY_URL="https://downloads.hpe.com/pub/softlib2/software1/sc-linux-fw-ilo/p192122427/v112485/CP027911.scexe"
4 | BINARY_SHA1="924638e17d421c1890139a8aae17287642a5362e"
5 | RESULT_SHA1="1bb4e0f65f88dae20f497aaa39d6bbbde2509332"
6 | 


--------------------------------------------------------------------------------
/patches/250/patch_bootloader.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Patch signature check : BNE XX -> MOV R0, #0",
 4 | 		"offset":		"0x38BC",
 5 | 		"size":			4,
 6 | 		"prev_data":	"4000001A",
 7 | 		"patch":		"0000A0E1"
 8 | 	}
 9 | ]
10 | 


--------------------------------------------------------------------------------
/patches/250/patch_kernel.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Patch signature check : BEQ XX -> B XX",
 4 | 		"offset":		"0x1FB1C",
 5 | 		"size":			4,
 6 | 		"prev_data":	"0400000A",
 7 | 		"patch":		"040000EA"
 8 | 	}
 9 | ]
10 | 


--------------------------------------------------------------------------------
/patches/250/patch_userland.json:
--------------------------------------------------------------------------------
1 | []
2 | 


--------------------------------------------------------------------------------
/patches/250/readme.md:
--------------------------------------------------------------------------------
1 | # iLO 2.50 Patch
2 | This patch is copied verbatim from iLO4 Toolbox. It does not provide any fan control functionality, but merely provides the base framework needed to patch firmware binaries with signature validation skips.
3 | 
4 | This patch isn't intended for use, nor has it been tested. It's merely provided as the baseline of work produced by Airbus Security Lab needed to continue this work.
5 | 


--------------------------------------------------------------------------------
/patches/273/build.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | #
 3 | # This file is part of the ilo4_unlock (https://github.com/kendallgoto/ilo4_unlock/).
 4 | # Copyright (c) 2022 Kendall Goto.
 5 | #
 6 | # This program is free software: you can redistribute it and/or modify
 7 | # it under the terms of the GNU General Public License as published by
 8 | # the Free Software Foundation, version 3.
 9 | #
10 | # This program is distributed in the hope that it will be useful, but
11 | # WITHOUT ANY WARRANTY; without even the implied warranty of
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 | # General Public License for more details.
14 | #
15 | # You should have received a copy of the GNU General Public License
16 | # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 | set -e
18 | if [ $# -ne 2 ]; then
19 |     echo "usage: $0 <firmware.bin> <build-dir>"
20 |     exit 1
21 | fi
22 | 
23 | ROOT_DIR=`git rev-parse --show-toplevel`
24 | SCRIPT_DIR="$ROOT_DIR/ilo4_toolbox/scripts/iLO4"
25 | UTIL_DIR="$ROOT_DIR/util"
26 | BUILD_LOC=$(realpath "$2")
27 | DIR=`dirname $0`
28 | FIRMWARE="$1"
29 | DEST="$BUILD_LOC/$(basename "$FIRMWARE").patched"
30 | 
31 | rm -rf "$BUILD_LOC"
32 | 
33 | echo "Starting iLO4 Toolbox Extraction ..."
34 | python "$SCRIPT_DIR/ilo4_extract.py" "$FIRMWARE" "$BUILD_LOC"
35 | echo "Patching bootloader ..."
36 | python "$UTIL_DIR/patch.py" "$BUILD_LOC/bootloader.bin" "$DIR/patch_bootloader.json" "$BUILD_LOC/bootloader.bin.patched"
37 | echo "Patching kernel ..."
38 | python "$UTIL_DIR/patch.py" "$BUILD_LOC/kernel_main.bin" "$DIR/patch_kernel.json" "$BUILD_LOC/kernel_main.bin.patched"
39 | echo "Patching userland ..."
40 | python "$UTIL_DIR/patch.py" "$BUILD_LOC/elf.bin" "$DIR/patch_userland.json" "$BUILD_LOC/elf.bin.patched"
41 | 
42 | echo "Repacking with iLO4 Toolbox ..."
43 | python "$SCRIPT_DIR/ilo4_repack.py" "$FIRMWARE" "$BUILD_LOC/firmware.map" "$BUILD_LOC/elf.bin.patched" "$BUILD_LOC/kernel_main.bin.patched" "$BUILD_LOC/bootloader.bin.patched"
44 | mv "$FIRMWARE.backdoored.toflash" "$DEST"
45 | 
46 | echo "Final firmware at $2/$(basename "$DEST")"
47 | 


--------------------------------------------------------------------------------
/patches/273/config:
--------------------------------------------------------------------------------
1 | NAME="273"
2 | BINARY_NAME="ilo4_273.bin"
3 | BINARY_URL="https://downloads.hpe.com/pub/softlib2/software1/sc-linux-fw-ilo/p192122427/v176128/CP042663.scexe"
4 | BINARY_SHA1="8303c236c3417814afa0ed4b63e2d1ac48e3e881"
5 | RESULT_SHA1="06e572e9de5926208bfc52998abdc44410672a79"
6 | 


--------------------------------------------------------------------------------
/patches/273/patch_bootloader.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Patch signature check : BNE XX -> MOV R0, #0",
 4 | 		"offset":		"0x38BC",
 5 | 		"size":			4,
 6 | 		"prev_data":	"4000001A",
 7 | 		"patch":		"0000A0E1"
 8 | 	}
 9 | ]
10 | 


--------------------------------------------------------------------------------
/patches/273/patch_kernel.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Patch signature check : BEQ XX -> B XX",
 4 | 		"offset":		"0x1FB48",
 5 | 		"size":			4,
 6 | 		"prev_data":	"0400000A",
 7 | 		"patch":		"040000EA"
 8 | 	}
 9 | ]
10 | 


--------------------------------------------------------------------------------
/patches/273/patch_userland.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Bypass signature check : BEQ XX -> B XX",
 4 | 		"offset":		"0x96C2CC",
 5 | 		"size":			4,
 6 | 		"prev_data":	"1D 00 00 0A",
 7 | 		"patch":		"1D 00 00 EA"
 8 | 	},
 9 | 	{
10 | 		"remark": 		"Rename `quit` to `OCBB`",
11 | 		"offset":		"0xB7D2B4",
12 | 		"size":			4,
13 | 		"prev_data":	"71 75 69 74",
14 | 		"patch":		"4F 43 42 42"
15 | 	},
16 | 	{
17 | 		"remark": 		"Rename `VSPR` to `h`",
18 | 		"offset":		"0xB7D3C8",
19 | 		"size":			5,
20 | 		"prev_data":	"56 53 50 5C 52",
21 | 		"patch":		"48 00 00 00 00"
22 | 	},
23 | 	{
24 | 		"remark": 		"Rename `DEBUG` to `OCSD`",
25 | 		"offset":		"0xB7D3E0",
26 | 		"size":			5,
27 | 		"prev_data":	"44 45 42 55 47",
28 | 		"patch":		"4F 43 53 44 00"
29 | 	},
30 | 	{
31 | 		"remark": 		"Rename `NULL_CMD` to `FAN`",
32 | 		"offset":		"0xB7D43C",
33 | 		"size":			8,
34 | 		"prev_data":	"4E 55 4C 4C 5F 43 4D 44",
35 | 		"patch":		"46 41 4E 00 00 00 00 00"
36 | 	},
37 | 	{
38 | 		"remark": 		"Add function handler for new functions",
39 | 		"offset":		"0xAFA954",
40 | 		"size":			116,
41 | 		"prev_data":	"0D C0 A0 E1 20 D8 2D E9 04 B0 4C E2 8B 13 00 EB 9A 1F 8F E2 00 50 A0 E1 FE 96 00 EB 54 12 9F E5 04 00 95 E5 01 00 50 E1 09 00 00 1A 02 00 A0 E3 28 00 85 E5 08 00 A0 E3 60 00 85 E5 00 00 A0 E3 98 00 85 E5 2C 02 9F E5 36 00 00 EB 91 1F 8F E2 05 00 00 EA 04 00 A0 E3 28 00 85 E5 00 00 A0 E3 60 00 85 E5 98 00 85 E5 8B 1F 8F E2 04 00 95 E5 65 D7 FF EB",
42 | 		"patch":		"05 00 A0 E3 04 00 00 EA 06 00 A0 E3 02 00 00 EA 07 00 A0 E3 00 00 00 EA 08 00 A0 E3 0D C0 A0 E1 00 D8 2D E9 04 B0 4C E2 0A DC 4D E2 00 00 8D E5 00 30 A0 E3 04 20 8D E2 01 0A 87 E2 01 10 D0 E4 20 00 51 E3 01 30 C2 04 01 10 C2 14 00 00 51 E3 F9 FF FF 1A 00 30 C2 E5 0D 00 A0 E1 05 1C 8D E2 EE F8 00 EB 00 05 9D E5 00 A8 1B E9 00 00 00 00 00 00 00 00"
43 | 	},
44 | 	{
45 | 		"remark": 		"Immediately Break sub_E75D98 w/ jump to E76184",
46 | 		"offset":		"0x402940",
47 | 		"size":			4,
48 | 		"prev_data":	"0D C0 A0 E1",
49 | 		"patch":		"F9 00 00 EA"
50 | 	},
51 | 	{
52 | 		"remark": 		"0xE76184 Logging Patch",
53 | 		"offset":		"0x402D30",
54 | 		"size":			172,
55 | 		"prev_data":	"E0 DC 2D E9 04 B0 4C E2 4A DF 4D E2 00 A0 A0 E1 01 50 A0 E1 02 60 A0 E1 03 70 A0 E1 05 20 A0 E3 14 11 9F E5 46 0F 8D E2 2D 62 5C EB 0C 11 9F E5 00 00 95 E5 01 00 50 E1 46 1F 8D 02 05 00 A0 01 1E FE FF 0B 00 00 95 E5 00 00 90 E5 00 00 50 E3 E0 AC 1B D9 18 01 DD E5 00 00 50 E3 E0 AC 1B 09 18 00 8D E2 40 10 A0 E3 57 A3 5B EB D0 10 9F E5 00 00 91 E5 12 1E 9D E2 10 10 8D 02 25 9F 5B EB 00 00 50 E3 0C 00 00 1A 00 00 5A E3 B4 50 8F 02 B8 50 8F 12 BC 00 9F E5 24 11 9D E5 2C A8 5B EB 00 C0 A0 E1 20 A1 9D E5 07 00 A0 E1",
56 | 		"patch":		"0E 00 2D E9 0D 20 A0 E1 C0 D8 2D E9 10 B0 4C E2 01 DB 4D E2 00 10 A0 E1 80 00 8D E2 C4 67 5C EB 0D 60 A0 E3 80 70 8D E2 5C 30 8D E2 08 00 8D E2 01 10 D7 E4 0A 00 51 E3 01 60 C0 04 00 00 51 E3 01 70 47 02 03 00 50 11 01 10 C0 E4 03 00 50 11 F6 FF FF 1A 00 10 A0 E3 00 10 C0 E5 03 20 A0 E3 04 20 8D E5 01 10 A0 E3 60 10 8D E5 0C 00 A0 E3 00 00 8D E5 64 30 8D E2 60 20 A0 E3 04 10 8D E2 14 00 8F E2 0A A0 5F EB 00 00 D7 E5 00 00 50 E3 E4 FF FF 1A 64 00 9D E5 C0 A8 1B E9 56 53 50 43 48 41 4E 4E 45 4C 00 00 00 00 00 00"
57 | 	},
58 | 	{
59 | 		"remark": 		"Add entry jump to OCBB",
60 | 		"offset":		"0xB945A0",
61 | 		"size":			4,
62 | 		"prev_data":	"74 9E 01 00",
63 | 		"patch":		"74 D1 01 00"
64 | 	},
65 | 	{
66 | 		"remark": 		"Add entry jump to health",
67 | 		"offset":		"0xB947B4",
68 | 		"size":			4,
69 | 		"prev_data":	"7C C8 01 00",
70 | 		"patch":		"5C D1 01 00"
71 | 	},
72 | 	{
73 | 		"remark": 		"Add entry jump to OCSD",
74 | 		"offset":		"0xB94808",
75 | 		"size":			4,
76 | 		"prev_data":	"C8 CE 01 00",
77 | 		"patch":		"6C D1 01 00"
78 | 	},
79 | 	{
80 | 		"remark": 		"Add entry jump to fan",
81 | 		"offset":		"0xB948E8",
82 | 		"size":			4,
83 | 		"prev_data":	"5C D1 01 00",
84 | 		"patch":		"64 D1 01 00"
85 | 	}
86 | ]
87 | 


--------------------------------------------------------------------------------
/patches/273/patches.md:
--------------------------------------------------------------------------------
 1 | # Patches
 2 | To the best of my ability, I've documented the patched bytes included in the patch_userland.json file below.
 3 | 
 4 | ## Bypass signature check : BEQ XX -> B XX
 5 | By patching the signature check in the userland, we're able to upload arbitrary firmware. This is a very similar change to the one we make in the kernel, except this validates the firmware after web upload, where the kernel change validates the firmware at boot. I'm not sure what the purpose of this code is - maybe to make it easier for /u/phoenixdev to work on changes? But the signature bypass didn't work in practice for me & I don't see this bypass in Airbus' research ... I might remove it in the future.
 6 | 
 7 | ## Rename `quit` to `OCBB`
 8 | In our table of commands, we must remove some known commands to make room for our new commands. Since `quit` is the same as `exit`, we can replace it with OCBB.
 9 | 
10 | ## Rename `VSPR` to `h`
11 | Next, since `VSP\R` is the same as `VSP`, we replace it with `h` to call our health utility
12 | 
13 | ## Rename `DEBUG` to `OCSD`
14 | Since `debug` is not very useful, we replace it with `OCSD` to call the option card utility.
15 | 
16 | ## Rename `NULL_CMD` to `FAN`
17 | Finally, Since `null_cmd` is unused, we can replace it with `fan` to call our fan utility
18 | 
19 | ## Add function argument parsing & entry point for new functions
20 | This is a hefty patch and its easier to cover what its doing in the disassembly. In essence, we add the entrypoints
21 | for our 4 new functions and include an argument parser to handle those. See the documented asm patch [here](/patches/277/asm/fn_handler.S).
22 | 
23 | This code replace some otherwise unused code that was handling null_cmd, which we removed already.
24 | Roughly, it parses the input arguments into a fat set of strings on the stack, spaced by `\0`, then calls 'sub_21B157C'.  
25 | sub_21B157C fires a call to our health service -- which will in turn call the desired function (there's a jumptable in .health that corresponds to our 5/6/7/8 value on the stack. (.health.elf.text:00E04CB4)
26 | 
27 | ## Immediately Break sub_E75D98 w/ jump to E76184
28 | Bypass default stdout behavior of `health` app and call E76184 instead.
29 | 
30 | ## 0xE76184 Logging Patch
31 | The original piece of code here looks to be dead, so we replace it with our custom logging code that is entered from sub_E75D98. The previous function seems to serve as the general handler for all output from the health service; so we subvert all the output back into here instead.
32 | This replicates an IPC call from .ConAppCLI, calling the VSPChannel task to log data to the stdout. See the documented asm patch [here](/patches/277/asm/stdout.S).
33 | 
34 | ## Add entry jump to OCBB
35 | There's also a separate array of shell command structs. Each element contains a pointer to the name, function, help function, and version function of a shell command. We move the second value, the function pointer, to point to the entrypoint marked previously.
36 | 
37 | ## Add entry jump to health
38 | As above for OCBB, we make the change for `health`.
39 | 
40 | ## Add entry jump to OCSD
41 | As above for OCBB, we make the change for `ocsd`.
42 | 
43 | ## Add entry jump to fan
44 | As above for OCBB, we make the change for `fan`.
45 | 


--------------------------------------------------------------------------------
/patches/273/readme.md:
--------------------------------------------------------------------------------
 1 | # iLO 2.73 Patch
 2 | 
 3 | This patch patches the signature checking in the kernel + bootloader (just like 250/), as well as applies modifications
 4 | to the iLO to unlock the iLO's locked fan controller, etc methods.
 5 | 
 6 | The generated patch has the checksums:
 7 | 06e572e9de5926208bfc52998abdc44410672a79	build/ilo4_273.bin.patched
 8 | a773d99a5e1d9aee0915fcb3cd746d5c			build/ilo4_273.bin.patched
 9 | 
10 | which are identical to the ilo4_273.bin.fancommands provided by /u/phoenixdev in their 2.73 release.
11 | 


--------------------------------------------------------------------------------
/patches/277-memdump/asm/fn_handler.S:
--------------------------------------------------------------------------------
 1 | prologue:
 2 | 	MOV		R12, SP
 3 | 	STMFD	SP!, {R5-R11, R12, LR, PC}
 4 | 	SUB		R11, R12, #4
 5 | 	SUB		SP, SP, #0x104
 6 | 	MOV		R6, R0
 7 | start:
 8 | 	BL		GrabContext						; grab_context(R0)
 9 | 	MOV		R5, R0							; preserve context
10 | 	MOV		R7, R5							; i = 0 / wherever to start dumping
11 | 	MOV		R6, R7							; keep a copy of start index
12 | loop:
13 | 	ADD		R0, SP, #4						; storage spot SP+4
14 | 	ADR		R1, printedString				; formatString
15 | 	MOV		R2, R6							; i
16 | 	LDRB	R3, [R6], #1					; byte, load byte @ i, R6++
17 | 	BL		sprintf							; libc sprintf(storage spot, formatString, i, byte)
18 | 	LDR		R0, [R5, #4]					; R0 = context@0x4
19 | 	ADR		R1, stringForm					; print sprintf result "%s"
20 | 	ADD		R2, SP, #4						; actual sprintf value @ SP+4
21 | 	BL		printToShell					; print to shell (printf-y)
22 | 	SUB		R0, R6, R7
23 | 	LDR		R1, endPtr						; grab ending size
24 | 	CMP		R0, R1							; if we've printed more than ending size bytes
25 | 	BLT		loop							; if less than end size, keep going!
26 | end:
27 | 	LDMDB	R11, {R5-R11, SP, PC}			; epilogue
28 | 
29 | GrabContext:
30 | 	LDR		R10, GrabContext_fn
31 | 	BX		R10
32 | GrabContext_fn:
33 | 	.word 0x00021F9C
34 | 
35 | sprintf:
36 | 	LDR		R10, sprintf_fn
37 | 	BX		R10
38 | sprintf_fn:
39 | 	.word 0x017B407C
40 | 
41 | printToShell:
42 | 	LDR		R10, printToShell_fn
43 | 	BX		R10
44 | printToShell_fn:
45 | 	.word 0x00012F68
46 | 
47 | printedString:
48 | 	.string "%x : %x\r\n\r\n"
49 | stringForm:
50 | 	.string "%s"
51 | endPtr:
52 | 	.word	0x0000FFFF
53 | 
54 | 	.skip 989, 0x0
55 | 


--------------------------------------------------------------------------------
/patches/277-memdump/config:
--------------------------------------------------------------------------------
1 | NAME="277-memdump"
2 | BINARY_NAME="ilo4_277.bin"
3 | BINARY_URL="https://downloads.hpe.com/pub/softlib2/software1/sc-linux-fw-ilo/p192122427/v188589/CP046020.scexe"
4 | BINARY_SHA1="128f2ce1834dd68e0b2d806243e14fcc27b51364"
5 | RESULT_SHA1="952dd04199698f861738759b2986323472ce3685"
6 | 


--------------------------------------------------------------------------------
/patches/277-memdump/patch_bootloader.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Patch signature check : BNE XX -> MOV R0, #0",
 4 | 		"offset":		"0x38BC",
 5 | 		"size":			4,
 6 | 		"prev_data":	"4000001A",
 7 | 		"patch":		"0000A0E1"
 8 | 	}
 9 | ]
10 | 


--------------------------------------------------------------------------------
/patches/277-memdump/patch_kernel.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Patch signature check : BEQ XX -> B XX",
 4 | 		"offset":		"0x1FBB0",
 5 | 		"size":			4,
 6 | 		"prev_data":	"0400000A",
 7 | 		"patch":		"040000EA"
 8 | 	}
 9 | ]
10 | 


--------------------------------------------------------------------------------
/patches/277-memdump/patch_userland.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Bypass signature check : BEQ XX -> B XX",
 4 | 		"offset":		"0x96EDE8",
 5 | 		"size":			4,
 6 | 		"prev_data":	"1D 00 00 0A",
 7 | 		"patch":		"1D 00 00 EA"
 8 | 	},
 9 | 	{
10 | 		"remark": 		"Rename `VSPR` to `DUMP`",
11 | 		"offset":		"0xB8045C",
12 | 		"size":			5,
13 | 		"prev_data":	"56 53 50 5C 52",
14 | 		"patch":		"44 55 4D 50 00"
15 | 	},
16 | 	{
17 | 		"remark": 		"Add function handler for dump",
18 | 		"offset":		"0xAF9134",
19 | 		"size":			1136,
20 | 		"prev_data":	"0D C0 A0 E1 E0 DC 2D E9 04 B0 4C E2 0A DC 4D E2 90 A2 9F E5 00 60 A0 E1 15 25 00 EB A2 1F 8F E2 00 50 A0 E1 88 A8 00 EB 0D 00 A0 E1 02 1C A0 E3 FD A8 5D EB 80 02 9F E5 00 70 85 E0 07 10 A0 E1 09 0C 8D E2 58 67 5E EB 99 0F 85 E2 21 67 5E EB 00 00 50 E3 3F 00 00 0A D9 0F 85 E2 1D 67 5E EB 00 00 50 E3 17 00 00 0A 02 0B 8D E2 40 10 A0 E3 ED A8 5D EB 02 2B 8D E2 99 1F 85 E2 06 00 A0 E1 01 3C A0 E3 89 A4 00 EB 02 1B 8D E2 06 00 A0 E1 F6 13 00 EB 01 00 70 E3 08 00 00 1A 09 1C 8D E2 06 00 A0 E1 F1 13 00 EB 02 00 A0 E3 28 00 85 E5 06 00 A0 E3 60 00 85 E5 00 00 A0 E3 50 00 00 EA 02 0C A0 E3 00 00 00 EA 01 0C A0 E3 0D 20 A0 E1 00 10 85 E0 59 1F 81 E2 06 00 A0 E1 02 3B A0 E3 DA FD FF EB 0D 00 A0 E1 FA 66 5E EB 00 00 50 E3 09 00 00 0A 00 00 A0 E3 28 00 85 E5 60 00 85 E5 98 00 85 E5 04 00 95 E5 93 11 00 EB 0D 10 A0 E1 06 00 A0 E1 F7 AE 00 EB 0A 00 00 EA 02 00 A0 E3 28 00 85 E5 08 00 A0 E3 60 00 85 E5 0B 00 A0 E3 98 00 85 E5 04 00 95 E5 87 11 00 EB 04 00 95 E5 5E 1F 8F E2 BD E8 FF EB 09 1C 8D E2 06 00 A0 E1 C6 13 00 EB E0 AC 1B E9 07 00 A0 E1 DD 66 5E EB 00 00 50 E3 2B 00 00 0A 55 1F 8F E2 07 00 A0 E1 28 67 5E EB 00 00 50 E3 26 00 00 0A 04 02 97 E5 24 10 90 E5 0D 20 A0 E1 00 00 51 E3 05 00 00 0A 02 00 A0 E1 02 2B A0 E3 7E 66 5E EB 00 00 A0 E3 FF 07 CD E5 03 00 00 EA 07 10 A0 E1 06 00 A0 E1 02 3B A0 E3 A5 FD FF EB 0D 00 A0 E1 C5 66 5E EB 00 00 50 E3 09 00 00 0A 00 00 A0 E3 28 00 85 E5 60 00 85 E5 98 00 85 E5 04 00 95 E5 5E 11 00 EB 0D 10 A0 E1 06 00 A0 E1 C2 AE 00 EB E0 AC 1B E9 02 00 A0 E3 28 00 85 E5 08 00 A0 E3 60 00 85 E5 0B 00 A0 E3 98 00 85 E5 04 00 95 E5 52 11 00 EB A8 10 8F E2 92 00 00 EA 00 00 A0 E3 28 00 85 E5 60 00 85 E5 98 00 85 E5 04 00 95 E5 4A 11 00 EB 88 60 8F E2 04 00 95 E5 06 10 A0 E1 7F E8 FF EB 04 00 95 E5 7C 10 8F E2 7C E8 FF EB 04 00 95 E5 06 10 A0 E1 79 E8 FF EB 21 00 00 EA 43 4C 49 5F 76 65 72 73 69 6F 6E 48 61 6E 64 6C 65 72 00 00 53 4D 2D 43 4C 50 20 25 73 20 56 65 72 73 69 6F 6E 20 25 64 2E 25 64 0D 0A 00 00 00 53 4D 2D 43 4C 50 20 56 65 72 73 69 6F 6E 20 25 64 2E 25 64 0D 0A 00 00 25 73 00 00 8C 8A 0D 00 43 4C 49 5F 68 65 6C 70 48 61 6E 64 6C 65 72 00 70 15 00 00 0D 0A 00 00 2F 00 00 00 44 4D 54 46 20 53 4D 41 53 48 20 43 4C 50 20 43 6F 6D 6D 61 6E 64 73 3A 0D 0A 00 00 04 00 95 E5 63 EC FF EB 04 00 95 E5 7A EC FF EB 04 00 95 E5 8C EC FF EB 04 00 95 E5 06 10 A0 E1 4D E8 FF EB 04 00 95 E5 50 ED FF EB 04 00 95 E5 06 10 A0 E1 48 E8 FF EB 04 00 95 E5 59 ED FF EB 04 00 95 E5 06 10 A0 E1 43 E8 FF EB 04 00 95 E5 5F ED FF EB 04 00 95 E5 06 10 A0 E1 3E E8 FF EB 04 00 95 E5 68 ED FF EB 04 00 95 E5 71 ED FF EB 04 00 95 E5 7A ED FF EB 04 00 95 E5 83 ED FF EB 04 00 95 E5 2A EE FF EB 04 00 95 E5 33 EE FF EB 04 00 95 E5 3C EE FF EB 04 00 95 E5 48 EC FF EB 04 00 95 E5 06 10 A0 E1 2B E8 FF EB 04 00 95 E5 40 EE FF EB 04 00 95 E5 06 10 A0 E1 26 E8 FF EB 04 00 95 E5 49 EE FF EB 04 00 95 E5 55 EE FF EB 04 00 95 E5 06 10 A0 E1 1F E8 FF EB 00 10 9A E5 00 00 51 E3 05 00 00 1A DC 2F 8F E2 90 13 9F E5 02 00 A0 E3 C2 70 01 EB 00 10 A0 E1 00 10 8A E5 04 00 95 E5 14 E8 FF EB 04 00 95 E5 DD 1F 8F E2 11 E8 FF EB 04 00 95 E5 DE 1F 8F E2 0E E8 FF EB 04 00 95 E5 42 EF FF EB 04 00 95 E5 4B EF FF EB 04 00 95 E5 FF EF FF EB 04 00 95 E5 08 F0 FF EB 04 00 95 E5 11 F0 FF EB 04 00 95 E5 1A F0 FF EB 04 00 95 E5 23 F0 FF EB 04 00 95 E5 2C F0 FF EB 04 00 95 E5 7B F9 FF EB 32 00 A0 E3 6D 55 01 EB 00 00 50 E3 04 00 95 15 3B F0 FF 1B 06 10 A0 E1 04 00 95 E5 F4 E7 FF EB E0 AC 1B E9",
21 | 		"file":			"fn_handler.S"
22 | 	},
23 | 	{
24 | 		"remark": 		"Add entry jump to dump",
25 | 		"offset":		"0xB97848",
26 | 		"size":			4,
27 | 		"prev_data":	"7C C8 01 00",
28 | 		"patch":		"28 8B 01 00"
29 | 	}
30 | ]
31 | 


--------------------------------------------------------------------------------
/patches/277-memdump/readme.md:
--------------------------------------------------------------------------------
1 | # v2.77 memory dump
2 | 
3 | Adds a function `dump` that dumps memory hex to the CLI
4 | 
5 | Made obsolete by 277-tools
6 | 


--------------------------------------------------------------------------------
/patches/277-tools/asm/fan_handle.S:
--------------------------------------------------------------------------------
 1 | h:
 2 | 	MOV		r0, #5		; entrypoint for health (call switch #5)
 3 | 	B		start
 4 | 
 5 | fan:
 6 | 	MOV		r0, #6		; entrypoint for fan (call switch #6)
 7 | 	B		start
 8 | 
 9 | ocsd:
10 | 	MOV		r0, #7		; entrypoint for ocsd (call switch #7)
11 | 	B		start
12 | 
13 | ocbb:
14 | 	MOV		r0, #8		; entrypoint for ocbb (call switch #8)
15 | 
16 | start:
17 | 	MOV		R12, SP				; Initialize
18 | 	PUSH	{R11, R12, LR, PC}
19 | 	SUB		R11, R12, #4
20 | 	SUB		SP, SP, #0xA00		; Allocate space on stack for IPC struct
21 | 	STR		R0, [SP]			; Store R0 as first value in struct (switch value)
22 | 	MOV		R3, #0				; Init R3 to zero
23 | 	ADD		R2, SP, #4			; Move R2 to write at 0x4 in IPC struct
24 | 	ADD		R0, R7, #0x1000		; Move R0 to start of input arg
25 | loop:							; Parse string char-by-char
26 | 	LDRB	R1, [R0], #1		; Load char from string; R0++ (0x1000+i)
27 | 	CMP		R1, #0x20			; if loaded == ' '
28 | 	STRBEQ	R3, [R2],#1			;	then store \0 into R2, R2++
29 | 	STRBNE	R1, [R2],#1			;	else store char in R2, r2++
30 | 	CMP		R1, #0				; if char != \0
31 | 	BNE		loop				; 	then loop
32 | 	STRB	R3, [R2]			; store final \0 onto R2
33 | 	MOV		R0, SP				; Setup call
34 | 	ADD		R1, SP, #0x500		; Setup call
35 | 	BL		0x3e420				; health_ipc_call(SP, SP+500)
36 | 	LDR		R0, [SP,#0x500]		; load yielded value to R0
37 | 	LDMDB	R11, {R11,SP,PC}	; exit
38 | 
39 | 	.word	0x00000000
40 | 	.word	0x00000000
41 | 


--------------------------------------------------------------------------------
/patches/277-tools/asm/fan_log.S:
--------------------------------------------------------------------------------
 1 | start:									; MOV R12, SP (not overwritten)
 2 | 	PUSH	{R1-R3}						; init
 3 | 	MOV		R2, SP
 4 | 	PUSH	{R6, R7, R11, R12, LR, PC}
 5 | 	SUB		R11, R12, #0x10
 6 | 	SUB		SP, SP, #0x400				; Allocate space on stack
 7 | 	MOV		R1, R0						; save first parameter
 8 | 	ADD		R0, SP, #0x80				; Set R0 to 0x80 in stack struct
 9 | 	BL		0x1718b34					; libc call (?)
10 | 	MOV		R6, #0xD					; R6 = 0xD (\r)
11 | 	ADD		R7, SP, #0x80				; Move R7 to 0x80 in stack struct
12 | restart:
13 | 	ADD		R3, SP, #0x5C				; Move R3 to 0x5C in stack struct
14 | 	ADD		R0, SP, #0x08				; Move R0 to 0x08 in stack struct
15 | charloop:								;
16 | 	LDRB	R1, [R7], #1				; Read from 0x80+i
17 | 	CMP		R1, #0xA					; if char == \n
18 | 	STRBEQ	R6,[R0],#1					;	then store 0xD \r, R0++
19 | 	CMP		R1, #0						; if char == \0
20 | 	SUBEQ	R7, R7, #1					;	then R7 = R7 - 1 (move one character backwards?)
21 | 	CMPNE	R0, R3						;	else if R0 != R3
22 | 	STRB	R1, [R0], #1				; always store char @ R0 (why is this here?)
23 | 	CMPNE	R0, R3						;		else if R0 != R3
24 | 	BNE		charloop					;			break for next char
25 | 	MOV		R1, #0x0					; R1 = \0
26 | 	STRB	R1, [R0]					; store \0 at end of R0
27 | 	MOV		R2, #0x3					; R2 = 0x3
28 | 	STR		R2, [SP, #0x4]				; store 3 @ 0x4 in struct
29 | 	MOV		R1, #0x1					; R1 = 0x1
30 | 	STR		R1, [SP, #0x60]				; store 1 @ 0x60 in struct
31 | 	MOV		R0, #0xC					; R0 = #0xC
32 | 	STR		R0, [SP]					; store 0xC @ 0x0 in struct
33 | 	ADD		R3, SP, #0x64				; R3 = SP + 0x64
34 | 	MOV		R2, #0x60					; R2 = 0x60
35 | 	ADD		R1, SP, #4					; R1 = SP + 0x4
36 | 	ADR		R0, vspLabel				; R0 = VSPCHANNEL Task
37 | 	BL		0x17e6cb4					; create IPC call (this is similar to .ConAppCLI's sub_5B57C / health IPC call)
38 | 	LDRB	R0, [R7]					; get current character
39 | 	CMP		R0, #0						; if != \0
40 | 	BNE		restart						;	restart (send another line?)
41 | 	LDR		R0, [SP, #0x64]				; end
42 | 	LDMDB	R11, {R6, R7, R11, SP, PC}	; end
43 | 
44 | vspLabel:
45 | 	.string	"VSPCHANNEL"
46 | 
47 | 	.word	0x0
48 | 	.byte	0x0
49 | 


--------------------------------------------------------------------------------
/patches/277-tools/asm/tools.S:
--------------------------------------------------------------------------------
  1 | _start:
  2 | 	MOV		R12, SP
  3 | 	STMFD	SP!, {R5-R11, R12, LR, PC}
  4 | 	SUB		R11, R12, #4
  5 | 
  6 | 	MOV		R6, R0
  7 | 	BL		GrabContext
  8 | 	MOV		R5, R0
  9 | 	MOV		r8, #0
 10 | 	ADD		r1, r5, #0x264
 11 | _addr_loop:
 12 | 	LDRB	R2, [R1, #1]!
 13 | 	SUB		R2, R2, #0x41	; r2 = r2 - A
 14 | 	CMP		R2, #0x10		; r2 - 0x10
 15 | 	LSLLO	R8, R8, #4		; left shift #4 if below 0
 16 | 	ADDLO	R8, R8, R2		; r8 = r8 + r2 if below 0
 17 | 	BLO		_addr_loop		; loop again if below 0
 18 | 
 19 | 	LDRB	R0, [R5, #0x264]
 20 | 	CMP		R0, #0x61 ; a
 21 | 	BEQ		cmd_alloc
 22 | 	CMP		R0, #0x66 ; f
 23 | 	BEQ		cmd_free
 24 | 	CMP		R0, #0x77 ; w
 25 | 	BEQ		cmd_write
 26 | 	CMP		R0, #0x78 ; x
 27 | 	BEQ		cmd_execute
 28 | 	CMP		R0, #0x72 ; r
 29 | 	BEQ		cmd_read
 30 | 
 31 | 	MOV		r3, r8
 32 | 	ADD		r2, r5, #0x264
 33 | 	ADR		r1, _message
 34 | 	MOV		r0, r6
 35 | 	BL		printToShell
 36 | return:
 37 | 	LDMDB	R11, {R5-R11, SP, PC}			; epilogue
 38 | 
 39 | cmd_write: ; wADDR CONTENT
 40 | 	add r1, r5, #0x364
 41 | 
 42 | _cmdw_data_loop:
 43 | 	ldrb r2, [r1], #1
 44 | 	sub r2, r2, #0x41
 45 | 	cmp r2, #0x10
 46 | 	bhs return
 47 | 	lsl r3, r2, #4
 48 | 
 49 | 	ldrb r2, [r1], #1
 50 | 	sub r2, r2, #0x41
 51 | 	cmp r2, #0x10
 52 | 	bhs return
 53 | 	add r3, r3, r2
 54 | 
 55 | 	push {r0, r1, r2, r3}
 56 | 	mov r2, r8
 57 | 	adr r1, _cmdw_addr_fmt
 58 | 	mov r0, r6
 59 | 	bl printToShell
 60 | 	pop {r0, r1, r2, r3}
 61 | 
 62 | 	strb r3, [r8], #1
 63 | 	b _cmdw_data_loop
 64 | 
 65 | cmd_read:
 66 | 	add r1, r5, #0x364 ; r1 is reading size value
 67 | 	LDRB r9, [r1], #1
 68 | 	mov r2, r8		   ; r2 has start address
 69 | _cmdr_data_loop:
 70 | 	LDRB r8, [r2], #1	; grab from r2, incrementing r2, load into r8 for print
 71 | 	SUB r9, r9, #1
 72 | 	cmp r9, #0
 73 | 	blt return
 74 | 
 75 | 	push {r0, r1, r2, r3}
 76 | 	adr r1, _cmdr_addr_fmt
 77 | 	mov r3, r8
 78 | 	mov r0, r6
 79 | 	bl printToShell
 80 | 	pop {r0, r1, r2, r3}
 81 | 
 82 | 	b _cmdr_data_loop
 83 | cmd_alloc: ; aSIZE
 84 | 	mov r0, r8
 85 | 	bl libc_malloc
 86 | 	mov r2, r0
 87 | 	adr r1, _cmda_fmt
 88 | 	mov r0, r6
 89 | 	bl printToShell
 90 | 	b return
 91 | 
 92 | cmd_free: ; fADDR
 93 | 	mov r2, r8
 94 | 	adr r1, _cmdf_fmt
 95 | 	mov r0, r6
 96 | 	bl printToShell
 97 | 	mov r0, r8
 98 | 	bl libc_free
 99 | 	b return
100 | 
101 | cmd_execute: ; xADDR
102 | 	mov r1, r5
103 | 	mov r0, r6
104 | 	blx r8
105 | 	b return
106 | 
107 | GrabContext:
108 | 	LDR		R10, GrabContext_fn
109 | 	BX		R10
110 | GrabContext_fn:
111 | 	.word 0x00021F9C
112 | 
113 | sprintf:
114 | 	LDR		R10, sprintf_fn
115 | 	BX		R10
116 | sprintf_fn:
117 | 	.word 0x017B407C
118 | 
119 | printToShell:
120 | 	LDR		R10, printToShell_fn
121 | 	BX		R10
122 | printToShell_fn:
123 | 	.word 0x00012F68
124 | 
125 | libc_malloc:
126 | 	LDR		R10, libc_malloc_fn
127 | 	BX		R10
128 | libc_malloc_fn:
129 | 	.word 0x017B85E8
130 | 
131 | libc_free:
132 | 	LDR		R10, libc_free_fn
133 | 	BX		R10
134 | libc_free_fn:
135 | 	.word 0x017B86F4
136 | 
137 | _message:
138 | 	.ascii "arg[1]=%.256s, r8=%#x\r\n\0"
139 | 
140 | _cmdw_addr_fmt:
141 | 	.ascii "%#x <- %#x\r\n\0"
142 | 	.align 2
143 | 
144 | _cmdr_addr_fmt:
145 | 	.ascii "%#x : %#x\r\n\0"
146 | 	.align 2
147 | 
148 | _cmda_fmt:
149 | 	.ascii "alloc %#x\r\n\0"
150 | 
151 | _cmdf_fmt:
152 | 	.ascii "free %#x\r\n\0"
153 | 
154 | 	.skip 673, 0x0
155 | 


--------------------------------------------------------------------------------
/patches/277-tools/config:
--------------------------------------------------------------------------------
1 | NAME="277-tools"
2 | BINARY_NAME="ilo4_277.bin"
3 | BINARY_URL="https://downloads.hpe.com/pub/softlib2/software1/sc-linux-fw-ilo/p192122427/v188589/CP046020.scexe"
4 | BINARY_SHA1="128f2ce1834dd68e0b2d806243e14fcc27b51364"
5 | RESULT_SHA1="b274fedc2a9cd6e45fe9c238f0f6b9a65144ab12"
6 | 


--------------------------------------------------------------------------------
/patches/277-tools/patch_bootloader.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Patch signature check : BNE XX -> MOV R0, #0",
 4 | 		"offset":		"0x38BC",
 5 | 		"size":			4,
 6 | 		"prev_data":	"4000001A",
 7 | 		"patch":		"0000A0E1"
 8 | 	}
 9 | ]
10 | 


--------------------------------------------------------------------------------
/patches/277-tools/patch_kernel.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Patch signature check : BEQ XX -> B XX",
 4 | 		"offset":		"0x1FBB0",
 5 | 		"size":			4,
 6 | 		"prev_data":	"0400000A",
 7 | 		"patch":		"040000EA"
 8 | 	}
 9 | ]
10 | 


--------------------------------------------------------------------------------
/patches/277-tools/patch_userland.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Bypass signature check : BEQ XX -> B XX",
 4 | 		"offset":		"0x96EDE8",
 5 | 		"size":			4,
 6 | 		"prev_data":	"1D 00 00 0A",
 7 | 		"patch":		"1D 00 00 EA"
 8 | 	},
 9 | 	{
10 | 		"remark": 		"replace help with tools",
11 | 		"offset":		"0xAF9134",
12 | 		"size":			1136,
13 | 		"prev_data":	"0D C0 A0 E1 E0 DC 2D E9 04 B0 4C E2 0A DC 4D E2 90 A2 9F E5 00 60 A0 E1 15 25 00 EB A2 1F 8F E2 00 50 A0 E1 88 A8 00 EB 0D 00 A0 E1 02 1C A0 E3 FD A8 5D EB 80 02 9F E5 00 70 85 E0 07 10 A0 E1 09 0C 8D E2 58 67 5E EB 99 0F 85 E2 21 67 5E EB 00 00 50 E3 3F 00 00 0A D9 0F 85 E2 1D 67 5E EB 00 00 50 E3 17 00 00 0A 02 0B 8D E2 40 10 A0 E3 ED A8 5D EB 02 2B 8D E2 99 1F 85 E2 06 00 A0 E1 01 3C A0 E3 89 A4 00 EB 02 1B 8D E2 06 00 A0 E1 F6 13 00 EB 01 00 70 E3 08 00 00 1A 09 1C 8D E2 06 00 A0 E1 F1 13 00 EB 02 00 A0 E3 28 00 85 E5 06 00 A0 E3 60 00 85 E5 00 00 A0 E3 50 00 00 EA 02 0C A0 E3 00 00 00 EA 01 0C A0 E3 0D 20 A0 E1 00 10 85 E0 59 1F 81 E2 06 00 A0 E1 02 3B A0 E3 DA FD FF EB 0D 00 A0 E1 FA 66 5E EB 00 00 50 E3 09 00 00 0A 00 00 A0 E3 28 00 85 E5 60 00 85 E5 98 00 85 E5 04 00 95 E5 93 11 00 EB 0D 10 A0 E1 06 00 A0 E1 F7 AE 00 EB 0A 00 00 EA 02 00 A0 E3 28 00 85 E5 08 00 A0 E3 60 00 85 E5 0B 00 A0 E3 98 00 85 E5 04 00 95 E5 87 11 00 EB 04 00 95 E5 5E 1F 8F E2 BD E8 FF EB 09 1C 8D E2 06 00 A0 E1 C6 13 00 EB E0 AC 1B E9 07 00 A0 E1 DD 66 5E EB 00 00 50 E3 2B 00 00 0A 55 1F 8F E2 07 00 A0 E1 28 67 5E EB 00 00 50 E3 26 00 00 0A 04 02 97 E5 24 10 90 E5 0D 20 A0 E1 00 00 51 E3 05 00 00 0A 02 00 A0 E1 02 2B A0 E3 7E 66 5E EB 00 00 A0 E3 FF 07 CD E5 03 00 00 EA 07 10 A0 E1 06 00 A0 E1 02 3B A0 E3 A5 FD FF EB 0D 00 A0 E1 C5 66 5E EB 00 00 50 E3 09 00 00 0A 00 00 A0 E3 28 00 85 E5 60 00 85 E5 98 00 85 E5 04 00 95 E5 5E 11 00 EB 0D 10 A0 E1 06 00 A0 E1 C2 AE 00 EB E0 AC 1B E9 02 00 A0 E3 28 00 85 E5 08 00 A0 E3 60 00 85 E5 0B 00 A0 E3 98 00 85 E5 04 00 95 E5 52 11 00 EB A8 10 8F E2 92 00 00 EA 00 00 A0 E3 28 00 85 E5 60 00 85 E5 98 00 85 E5 04 00 95 E5 4A 11 00 EB 88 60 8F E2 04 00 95 E5 06 10 A0 E1 7F E8 FF EB 04 00 95 E5 7C 10 8F E2 7C E8 FF EB 04 00 95 E5 06 10 A0 E1 79 E8 FF EB 21 00 00 EA 43 4C 49 5F 76 65 72 73 69 6F 6E 48 61 6E 64 6C 65 72 00 00 53 4D 2D 43 4C 50 20 25 73 20 56 65 72 73 69 6F 6E 20 25 64 2E 25 64 0D 0A 00 00 00 53 4D 2D 43 4C 50 20 56 65 72 73 69 6F 6E 20 25 64 2E 25 64 0D 0A 00 00 25 73 00 00 8C 8A 0D 00 43 4C 49 5F 68 65 6C 70 48 61 6E 64 6C 65 72 00 70 15 00 00 0D 0A 00 00 2F 00 00 00 44 4D 54 46 20 53 4D 41 53 48 20 43 4C 50 20 43 6F 6D 6D 61 6E 64 73 3A 0D 0A 00 00 04 00 95 E5 63 EC FF EB 04 00 95 E5 7A EC FF EB 04 00 95 E5 8C EC FF EB 04 00 95 E5 06 10 A0 E1 4D E8 FF EB 04 00 95 E5 50 ED FF EB 04 00 95 E5 06 10 A0 E1 48 E8 FF EB 04 00 95 E5 59 ED FF EB 04 00 95 E5 06 10 A0 E1 43 E8 FF EB 04 00 95 E5 5F ED FF EB 04 00 95 E5 06 10 A0 E1 3E E8 FF EB 04 00 95 E5 68 ED FF EB 04 00 95 E5 71 ED FF EB 04 00 95 E5 7A ED FF EB 04 00 95 E5 83 ED FF EB 04 00 95 E5 2A EE FF EB 04 00 95 E5 33 EE FF EB 04 00 95 E5 3C EE FF EB 04 00 95 E5 48 EC FF EB 04 00 95 E5 06 10 A0 E1 2B E8 FF EB 04 00 95 E5 40 EE FF EB 04 00 95 E5 06 10 A0 E1 26 E8 FF EB 04 00 95 E5 49 EE FF EB 04 00 95 E5 55 EE FF EB 04 00 95 E5 06 10 A0 E1 1F E8 FF EB 00 10 9A E5 00 00 51 E3 05 00 00 1A DC 2F 8F E2 90 13 9F E5 02 00 A0 E3 C2 70 01 EB 00 10 A0 E1 00 10 8A E5 04 00 95 E5 14 E8 FF EB 04 00 95 E5 DD 1F 8F E2 11 E8 FF EB 04 00 95 E5 DE 1F 8F E2 0E E8 FF EB 04 00 95 E5 42 EF FF EB 04 00 95 E5 4B EF FF EB 04 00 95 E5 FF EF FF EB 04 00 95 E5 08 F0 FF EB 04 00 95 E5 11 F0 FF EB 04 00 95 E5 1A F0 FF EB 04 00 95 E5 23 F0 FF EB 04 00 95 E5 2C F0 FF EB 04 00 95 E5 7B F9 FF EB 32 00 A0 E3 6D 55 01 EB 00 00 50 E3 04 00 95 15 3B F0 FF 1B 06 10 A0 E1 04 00 95 E5 F4 E7 FF EB E0 AC 1B E9",
14 | 		"file":			"tools.S"
15 | 	},
16 | 	{
17 | 		"remark": 		"Rename `quit` to `OCBB`",
18 | 		"offset":		"0xB80348",
19 | 		"size":			4,
20 | 		"prev_data":	"71 75 69 74",
21 | 		"patch":		"4F 43 42 42"
22 | 	},
23 | 	{
24 | 		"remark": 		"Rename `VSPR` to `h`",
25 | 		"offset":		"0xB8045C",
26 | 		"size":			5,
27 | 		"prev_data":	"56 53 50 5C 52",
28 | 		"patch":		"48 00 00 00 00"
29 | 	},
30 | 	{
31 | 		"remark": 		"Rename `DEBUG` to `OCSD`",
32 | 		"offset":		"0xB80474",
33 | 		"size":			5,
34 | 		"prev_data":	"44 45 42 55 47",
35 | 		"patch":		"4F 43 53 44 00"
36 | 	},
37 | 	{
38 | 		"remark": 		"Rename `NULL_CMD` to `FAN`",
39 | 		"offset":		"0xB804D0",
40 | 		"size":			8,
41 | 		"prev_data":	"4E 55 4C 4C 5F 43 4D 44",
42 | 		"patch":		"46 41 4E 00 00 00 00 00"
43 | 	},
44 | 	{
45 | 		"remark": 		"Add function handler for new functions",
46 | 		"offset":		"0xAFD768",
47 | 		"size":			116,
48 | 		"prev_data":	"0D C0 A0 E1 20 D8 2D E9 04 B0 4C E2 8B 13 00 EB 9A 1F 8F E2 00 50 A0 E1 FE 96 00 EB 54 12 9F E5 04 00 95 E5 01 00 50 E1 09 00 00 1A 02 00 A0 E3 28 00 85 E5 08 00 A0 E3 60 00 85 E5 00 00 A0 E3 98 00 85 E5 2C 02 9F E5 36 00 00 EB 91 1F 8F E2 05 00 00 EA 04 00 A0 E3 28 00 85 E5 00 00 A0 E3 60 00 85 E5 98 00 85 E5 8B 1F 8F E2 04 00 95 E5 65 D7 FF EB",
49 | 		"file":			"fan_handle.S"
50 | 	},
51 | 	{
52 | 		"remark": 		"Immediately Break sub_E75D98 w/ jump to E76184",
53 | 		"offset":		"0x404394",
54 | 		"size":			4,
55 | 		"prev_data":	"0D C0 A0 E1",
56 | 		"patch":		"F9 00 00 EA"
57 | 	},
58 | 	{
59 | 		"remark": 		"0xE76184 Logging Patch",
60 | 		"offset":		"0x404784",
61 | 		"size":			172,
62 | 		"prev_data":	"E0 DC 2D E9 04 B0 4C E2 4A DF 4D E2 00 A0 A0 E1 01 50 A0 E1 02 60 A0 E1 03 70 A0 E1 05 20 A0 E3 14 11 9F E5 46 0F 8D E2 2D 5D 5C EB 0C 11 9F E5 00 00 95 E5 01 00 50 E1 46 1F 8D 02 05 00 A0 01 1E FE FF 0B 00 00 95 E5 00 00 90 E5 00 00 50 E3 E0 AC 1B D9 18 01 DD E5 00 00 50 E3 E0 AC 1B 09 18 00 8D E2 40 10 A0 E3 57 9E 5B EB D0 10 9F E5 00 00 91 E5 12 1E 9D E2 10 10 8D 02 25 9A 5B EB 00 00 50 E3 0C 00 00 1A 00 00 5A E3 B4 50 8F 02 B8 50 8F 12 BC 00 9F E5 24 11 9D E5 2C A3 5B EB 00 C0 A0 E1 20 A1 9D E5 07 00 A0 E1",
63 | 		"file":			"fan_log.S"
64 | 	},
65 | 	{
66 | 		"remark": 		"Add entry jump to OCBB",
67 | 		"offset":		"0xB97634",
68 | 		"size":			4,
69 | 		"prev_data":	"74 9E 01 00",
70 | 		"patch":		"74 D1 01 00"
71 | 	},
72 | 	{
73 | 		"remark": 		"Add entry jump to health",
74 | 		"offset":		"0xB97848",
75 | 		"size":			4,
76 | 		"prev_data":	"7C C8 01 00",
77 | 		"patch":		"5C D1 01 00"
78 | 	},
79 | 	{
80 | 		"remark": 		"Add entry jump to OCSD",
81 | 		"offset":		"0xB9789C",
82 | 		"size":			4,
83 | 		"prev_data":	"C8 CE 01 00",
84 | 		"patch":		"6C D1 01 00"
85 | 	},
86 | 	{
87 | 		"remark": 		"Add entry jump to fan",
88 | 		"offset":		"0xB9797C",
89 | 		"size":			4,
90 | 		"prev_data":	"5C D1 01 00",
91 | 		"patch":		"64 D1 01 00"
92 | 	}
93 | ]
94 | 


--------------------------------------------------------------------------------
/patches/277-tools/readme.md:
--------------------------------------------------------------------------------
1 | # v2.77 tools
2 | 
3 | Includes the tools from Airbus Security Labs for probing memory over SSH
4 | 


--------------------------------------------------------------------------------
/patches/277/asm/fn_handler.S:
--------------------------------------------------------------------------------
 1 | h:
 2 | 	MOV		r0, #5		; entrypoint for health (call switch #5)
 3 | 	B		start
 4 | 
 5 | fan:
 6 | 	MOV		r0, #6		; entrypoint for fan (call switch #6)
 7 | 	B		start
 8 | 
 9 | ocsd:
10 | 	MOV		r0, #7		; entrypoint for ocsd (call switch #7)
11 | 	B		start
12 | 
13 | ocbb:
14 | 	MOV		r0, #8		; entrypoint for ocbb (call switch #8)
15 | 
16 | start:
17 | 	MOV		R12, SP				; Initialize
18 | 	PUSH	{R11, R12, LR, PC}
19 | 	SUB		R11, R12, #4
20 | 	SUB		SP, SP, #0xA00		; Allocate space on stack for IPC struct
21 | 	STR		R0, [SP]			; Store R0 as first value in struct (switch value)
22 | 	MOV		R3, #0				; Init R3 to zero
23 | 	ADD		R2, SP, #4			; Move R2 to write at 0x4 in IPC struct
24 | 	ADD		R0, R7, #0x1000		; Move R0 to start of input arg
25 | loop:							; Parse string char-by-char
26 | 	LDRB	R1, [R0], #1		; Load char from string; R0++ (0x1000+i)
27 | 	CMP		R1, #0x20			; if loaded == ' '
28 | 	STRBEQ	R3, [R2],#1			;	then store \0 into R2, R2++
29 | 	STRBNE	R1, [R2],#1			;	else store char in R2, r2++
30 | 	CMP		R1, #0				; if char != \0
31 | 	BNE		loop				; 	then loop
32 | 	STRB	R3, [R2]			; store final \0 onto R2
33 | 	MOV		R0, SP				; Setup call
34 | 	ADD		R1, SP, #0x500		; Setup call
35 | 	BL		0x3e420				; health_ipc_call(SP, SP+500)
36 | 	LDR		R0, [SP,#0x500]		; load yielded value to R0
37 | 	LDMDB	R11, {R11,SP,PC}	; exit
38 | 
39 | 	.word	0x00000000
40 | 	.word	0x00000000
41 | 


--------------------------------------------------------------------------------
/patches/277/asm/stdout.S:
--------------------------------------------------------------------------------
 1 | start:									; MOV R12, SP (not overwritten)
 2 | 	PUSH	{R1-R3}						; init
 3 | 	MOV		R2, SP
 4 | 	PUSH	{R6, R7, R11, R12, LR, PC}
 5 | 	SUB		R11, R12, #0x10
 6 | 	SUB		SP, SP, #0x400				; Allocate space on stack
 7 | 	MOV		R1, R0						; save first parameter
 8 | 	ADD		R0, SP, #0x80				; Set R0 to 0x80 in stack struct
 9 | 	BL		0x1718b34					; libc call (?)
10 | 	MOV		R6, #0xD					; R6 = 0xD (\r)
11 | 	ADD		R7, SP, #0x80				; Move R7 to 0x80 in stack struct
12 | restart:
13 | 	ADD		R3, SP, #0x5C				; Move R3 to 0x5C in stack struct
14 | 	ADD		R0, SP, #0x08				; Move R0 to 0x08 in stack struct
15 | charloop:								;
16 | 	LDRB	R1, [R7], #1				; Read from 0x80+i
17 | 	CMP		R1, #0xA					; if char == \n
18 | 	STRBEQ	R6,[R0],#1					;	then store 0xD \r, R0++
19 | 	CMP		R1, #0						; if char == \0
20 | 	SUBEQ	R7, R7, #1					;	then R7 = R7 - 1 (move one character backwards?)
21 | 	CMPNE	R0, R3						;	else if R0 != R3
22 | 	STRB	R1, [R0], #1				; always store char @ R0 (why is this here?)
23 | 	CMPNE	R0, R3						;		else if R0 != R3
24 | 	BNE		charloop					;			break for next char
25 | 	MOV		R1, #0x0					; R1 = \0
26 | 	STRB	R1, [R0]					; store \0 at end of R0
27 | 	MOV		R2, #0x3					; R2 = 0x3
28 | 	STR		R2, [SP, #0x4]				; store 3 @ 0x4 in struct
29 | 	MOV		R1, #0x1					; R1 = 0x1
30 | 	STR		R1, [SP, #0x60]				; store 1 @ 0x60 in struct
31 | 	MOV		R0, #0xC					; R0 = #0xC
32 | 	STR		R0, [SP]					; store 0xC @ 0x0 in struct
33 | 	ADD		R3, SP, #0x64				; R3 = SP + 0x64
34 | 	MOV		R2, #0x60					; R2 = 0x60
35 | 	ADD		R1, SP, #4					; R1 = SP + 0x4
36 | 	ADR		R0, vspLabel				; R0 = VSPCHANNEL Task
37 | 	BL		0x17e6cb4					; create IPC call (this is similar to .ConAppCLI's sub_5B57C / health IPC call)
38 | 	LDRB	R0, [R7]					; get current character
39 | 	CMP		R0, #0						; if != \0
40 | 	BNE		restart						;	restart (send another line?)
41 | 	LDR		R0, [SP, #0x64]				; end
42 | 	LDMDB	R11, {R6, R7, R11, SP, PC}	; end
43 | 
44 | vspLabel:
45 | 	.string	"VSPCHANNEL"
46 | 
47 | 	.word	0x0
48 | 	.byte	0x0
49 | 


--------------------------------------------------------------------------------
/patches/277/config:
--------------------------------------------------------------------------------
1 | NAME="277"
2 | BINARY_NAME="ilo4_277.bin"
3 | BINARY_URL="https://downloads.hpe.com/pub/softlib2/software1/sc-linux-fw-ilo/p192122427/v188589/CP046020.scexe"
4 | BINARY_SHA1="128f2ce1834dd68e0b2d806243e14fcc27b51364"
5 | RESULT_SHA1="952dd04199698f861738759b2986323472ce3685"
6 | 


--------------------------------------------------------------------------------
/patches/277/patch_bootloader.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Patch signature check : BNE XX -> MOV R0, #0",
 4 | 		"offset":		"0x38BC",
 5 | 		"size":			4,
 6 | 		"prev_data":	"4000001A",
 7 | 		"patch":		"0000A0E1"
 8 | 	}
 9 | ]
10 | 


--------------------------------------------------------------------------------
/patches/277/patch_kernel.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Patch signature check : BEQ XX -> B XX",
 4 | 		"offset":		"0x1FBB0",
 5 | 		"size":			4,
 6 | 		"prev_data":	"0400000A",
 7 | 		"patch":		"040000EA"
 8 | 	}
 9 | ]
10 | 


--------------------------------------------------------------------------------
/patches/277/patch_userland.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Bypass signature check : BEQ XX -> B XX",
 4 | 		"offset":		"0x96EDE8",
 5 | 		"size":			4,
 6 | 		"prev_data":	"1D 00 00 0A",
 7 | 		"patch":		"1D 00 00 EA"
 8 | 	},
 9 | 	{
10 | 		"remark": 		"Rename `quit` to `OCBB`",
11 | 		"offset":		"0xB80348",
12 | 		"size":			4,
13 | 		"prev_data":	"71 75 69 74",
14 | 		"patch":		"4F 43 42 42"
15 | 	},
16 | 	{
17 | 		"remark": 		"Rename `VSPR` to `h`",
18 | 		"offset":		"0xB8045C",
19 | 		"size":			5,
20 | 		"prev_data":	"56 53 50 5C 52",
21 | 		"patch":		"48 00 00 00 00"
22 | 	},
23 | 	{
24 | 		"remark": 		"Rename `DEBUG` to `OCSD`",
25 | 		"offset":		"0xB80474",
26 | 		"size":			5,
27 | 		"prev_data":	"44 45 42 55 47",
28 | 		"patch":		"4F 43 53 44 00"
29 | 	},
30 | 	{
31 | 		"remark": 		"Rename `NULL_CMD` to `FAN`",
32 | 		"offset":		"0xB804D0",
33 | 		"size":			8,
34 | 		"prev_data":	"4E 55 4C 4C 5F 43 4D 44",
35 | 		"patch":		"46 41 4E 00 00 00 00 00"
36 | 	},
37 | 	{
38 | 		"remark": 		"Add function handler for new functions",
39 | 		"offset":		"0xAFD768",
40 | 		"size":			116,
41 | 		"prev_data":	"0D C0 A0 E1 20 D8 2D E9 04 B0 4C E2 8B 13 00 EB 9A 1F 8F E2 00 50 A0 E1 FE 96 00 EB 54 12 9F E5 04 00 95 E5 01 00 50 E1 09 00 00 1A 02 00 A0 E3 28 00 85 E5 08 00 A0 E3 60 00 85 E5 00 00 A0 E3 98 00 85 E5 2C 02 9F E5 36 00 00 EB 91 1F 8F E2 05 00 00 EA 04 00 A0 E3 28 00 85 E5 00 00 A0 E3 60 00 85 E5 98 00 85 E5 8B 1F 8F E2 04 00 95 E5 65 D7 FF EB",
42 | 		"file":			"fn_handler.S"
43 | 	},
44 | 	{
45 | 		"remark": 		"Immediately Break sub_E75D98 w/ jump to E76184",
46 | 		"offset":		"0x404394",
47 | 		"size":			4,
48 | 		"prev_data":	"0D C0 A0 E1",
49 | 		"patch":		"F9 00 00 EA"
50 | 	},
51 | 	{
52 | 		"remark": 		"0xE76184 Logging Patch",
53 | 		"offset":		"0x404784",
54 | 		"size":			172,
55 | 		"prev_data":	"E0 DC 2D E9 04 B0 4C E2 4A DF 4D E2 00 A0 A0 E1 01 50 A0 E1 02 60 A0 E1 03 70 A0 E1 05 20 A0 E3 14 11 9F E5 46 0F 8D E2 2D 5D 5C EB 0C 11 9F E5 00 00 95 E5 01 00 50 E1 46 1F 8D 02 05 00 A0 01 1E FE FF 0B 00 00 95 E5 00 00 90 E5 00 00 50 E3 E0 AC 1B D9 18 01 DD E5 00 00 50 E3 E0 AC 1B 09 18 00 8D E2 40 10 A0 E3 57 9E 5B EB D0 10 9F E5 00 00 91 E5 12 1E 9D E2 10 10 8D 02 25 9A 5B EB 00 00 50 E3 0C 00 00 1A 00 00 5A E3 B4 50 8F 02 B8 50 8F 12 BC 00 9F E5 24 11 9D E5 2C A3 5B EB 00 C0 A0 E1 20 A1 9D E5 07 00 A0 E1",
56 | 		"file":			"stdout.S"
57 | 	},
58 | 	{
59 | 		"remark": 		"Add entry jump to OCBB",
60 | 		"offset":		"0xB97634",
61 | 		"size":			4,
62 | 		"prev_data":	"74 9E 01 00",
63 | 		"patch":		"74 D1 01 00"
64 | 	},
65 | 	{
66 | 		"remark": 		"Add entry jump to health",
67 | 		"offset":		"0xB97848",
68 | 		"size":			4,
69 | 		"prev_data":	"7C C8 01 00",
70 | 		"patch":		"5C D1 01 00"
71 | 	},
72 | 	{
73 | 		"remark": 		"Add entry jump to OCSD",
74 | 		"offset":		"0xB9789C",
75 | 		"size":			4,
76 | 		"prev_data":	"C8 CE 01 00",
77 | 		"patch":		"6C D1 01 00"
78 | 	},
79 | 	{
80 | 		"remark": 		"Add entry jump to fan",
81 | 		"offset":		"0xB9797C",
82 | 		"size":			4,
83 | 		"prev_data":	"5C D1 01 00",
84 | 		"patch":		"64 D1 01 00"
85 | 	}
86 | ]
87 | 


--------------------------------------------------------------------------------
/patches/277/patches.md:
--------------------------------------------------------------------------------
 1 | # Patches
 2 | To the best of my ability, I've documented the patched bytes included in the patch_userland.json file below.
 3 | 
 4 | ## 0xE76184 Logging Patch
 5 | This is the only patch I had to change. It makes some calls to relative libraries in memory (libc & VCom Shared), whose positions moved (I guess if the local memory got shifted due to changes of library sizes, etc). I originally didn't notice this and it caused an stdout error (see research/2022-02-19). Our patch is identical to 273, except we move the BL instructions to point to the correct offsets.
 6 | 
 7 | Otherwise, I moved around offsets. Here's some Array of Bytes / AoBs I used to track down the pointers:
 8 | 
 9 | Check out my documented asm in asm/stdout.S
10 | 
11 | ## Bypass signature check : BEQ XX -> B XX
12 | AOB 02 80 83 E0 87 1E 00 EB 00 20 B0 E1 1D 00 00 0A
13 | one match
14 | 
15 | ## Command Strings (`quit`)
16 | AOB 00 00 00 00 71 75 69 74 00 00 00 00 6F 65 6D 68
17 | one match
18 | 
19 | (look nearby for the rest of the command strings)
20 | 
21 | ## Function entrypoint
22 | AOB 0D C0 A0 E1 20 D8 2D E9 04 B0 4C E2 8B 13 00 EB 9A
23 | one match
24 | 
25 | Check out my documented asm in asm/fn_handler.S
26 | 
27 | ## Health Break
28 | AOB 0D C0 A0 E1 0E 00 2D E9 00 D8 2D E9 10 B0 4C E2  08 D0 4D E2
29 | 9th match -- it's probably safe-r to use IDA and find the match inside the .health segment
30 | 
31 | I always struggled to find the actual logging code placement -- it's likely easiest to just go to the breakpoint and scroll down, or patch Health Break above and follow the jump, since the pointer stays correct
32 | 
33 | ## Command Function Calls
34 | All of the function calls have pretty unique AoBs for their actual call pointers; i.e.
35 | 74 9E 01 00 -> OCBB (use the second match!)
36 | 7C C8 01 00 -> health (use the first match!)
37 | C8 CE 01 00 -> OCSD (use the second match!)
38 | 5C D1 01 00 -> Fan (use the last match!)
39 | 
40 | Just find the match that's within the concli .data -- there's a few duplicates because these methods are duplicates (i.e. exit/quit call the same thing), but you should be able to use the order to figure it out. Command order doesn't change between builds (historically anyway).
41 | 
42 | ## Kernel Patch
43 | AOB 30 10 95 E5 00 00 50 E3 04 00 00 0A 00 00 51 E3
44 | one match
45 | 


--------------------------------------------------------------------------------
/patches/277/readme.md:
--------------------------------------------------------------------------------
1 | # iLO 2.77 Patch
2 | 
3 | This patch patches the signature checking in the kernel + bootloader (just like 250/), as well as applies modifications
4 | to the iLO to unlock the iLO's locked fan controller, etc methods. More or less, it is an updated version of 2.73's patches applied onto 2.77.
5 | 


--------------------------------------------------------------------------------
/patches/278/config:
--------------------------------------------------------------------------------
1 | NAME="278"
2 | BINARY_NAME="ilo4_278.bin"
3 | BINARY_URL="https://downloads.hpe.com/pub/softlib2/software1/sc-linux-fw-ilo/p192122427/v190650/CP046465.scexe"
4 | BINARY_SHA1="3d2cbbbde4bae76d6d9ead270eff445d5dda82fd"
5 | RESULT_SHA1="f5ffde92168ec9e18102c4125f23079c954f3d71"
6 | 


--------------------------------------------------------------------------------
/patches/278/patch_bootloader.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Patch signature check : BNE XX -> MOV R0, #0",
 4 | 		"offset":		"0x38BC",
 5 | 		"size":			4,
 6 | 		"prev_data":	"4000001A",
 7 | 		"patch":		"0000A0E1"
 8 | 	}
 9 | ]
10 | 


--------------------------------------------------------------------------------
/patches/278/patch_kernel.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Patch signature check : BEQ XX -> B XX",
 4 | 		"offset":		"0x1FBB0",
 5 | 		"size":			4,
 6 | 		"prev_data":	"0400000A",
 7 | 		"patch":		"040000EA"
 8 | 	}
 9 | ]
10 | 


--------------------------------------------------------------------------------
/patches/278/patch_userland.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Bypass signature check : BEQ XX -> B XX",
 4 | 		"offset":		"0x964ADC",
 5 | 		"size":			4,
 6 | 		"prev_data":	"1D 00 00 0A",
 7 | 		"patch":		"1D 00 00 EA"
 8 | 	},
 9 | 	{
10 | 		"remark": 		"Rename `quit` to `OCBB`",
11 | 		"offset":		"0xB73F70",
12 | 		"size":			4,
13 | 		"prev_data":	"71 75 69 74",
14 | 		"patch":		"4F 43 42 42"
15 | 	},
16 | 	{
17 | 		"remark": 		"Rename `VSPR` to `h`",
18 | 		"offset":		"0xB74084",
19 | 		"size":			5,
20 | 		"prev_data":	"56 53 50 5C 52",
21 | 		"patch":		"48 00 00 00 00"
22 | 	},
23 | 	{
24 | 		"remark": 		"Rename `DEBUG` to `OCSD`",
25 | 		"offset":		"0xB7409C",
26 | 		"size":			5,
27 | 		"prev_data":	"44 45 42 55 47",
28 | 		"patch":		"4F 43 53 44 00"
29 | 	},
30 | 	{
31 | 		"remark": 		"Rename `NULL_CMD` to `FAN`",
32 | 		"offset":		"0xB740F8",
33 | 		"size":			8,
34 | 		"prev_data":	"4E 55 4C 4C 5F 43 4D 44",
35 | 		"patch":		"46 41 4E 00 00 00 00 00"
36 | 	},
37 | 	{
38 | 		"remark": 		"Add function handler for new functions",
39 | 		"offset":		"0xAF1390",
40 | 		"size":			116,
41 | 		"prev_data":	"0D C0 A0 E1 20 D8 2D E9 04 B0 4C E2 8B 13 00 EB 9A 1F 8F E2 00 50 A0 E1 FE 96 00 EB 54 12 9F E5 04 00 95 E5 01 00 50 E1 09 00 00 1A 02 00 A0 E3 28 00 85 E5 08 00 A0 E3 60 00 85 E5 00 00 A0 E3 98 00 85 E5 2C 02 9F E5 36 00 00 EB 91 1F 8F E2 05 00 00 EA 04 00 A0 E3 28 00 85 E5 00 00 A0 E3 60 00 85 E5 98 00 85 E5 8B 1F 8F E2 04 00 95 E5 65 D7 FF EB",
42 | 		"patch":		"05 00 A0 E3 04 00 00 EA 06 00 A0 E3 02 00 00 EA 07 00 A0 E3 00 00 00 EA 08 00 A0 E3 0D C0 A0 E1 00 D8 2D E9 04 B0 4C E2 0A DC 4D E2 00 00 8D E5 00 30 A0 E3 04 20 8D E2 01 0A 87 E2 01 10 D0 E4 20 00 51 E3 01 30 C2 04 01 10 C2 14 00 00 51 E3 F9 FF FF 1A 00 30 C2 E5 0D 00 A0 E1 05 1C 8D E2 EE F8 00 EB 00 05 9D E5 00 A8 1B E9 00 00 00 00 00 00 00 00"
43 | 	},
44 | 	{
45 | 		"remark": 		"Add entry jump to OCBB",
46 | 		"offset":		"0xB8B25C",
47 | 		"size":			4,
48 | 		"prev_data":	"74 9E 01 00",
49 | 		"patch":		"74 D1 01 00"
50 | 	},
51 | 	{
52 | 		"remark": 		"Add entry jump to health",
53 | 		"offset":		"0xB8B470",
54 | 		"size":			4,
55 | 		"prev_data":	"7C C8 01 00",
56 | 		"patch":		"5C D1 01 00"
57 | 	},
58 | 	{
59 | 		"remark": 		"Add entry jump to OCSD",
60 | 		"offset":		"0xB8B4C4",
61 | 		"size":			4,
62 | 		"prev_data":	"C8 CE 01 00",
63 | 		"patch":		"6C D1 01 00"
64 | 	},
65 | 	{
66 | 		"remark": 		"Add entry jump to fan",
67 | 		"offset":		"0xB8B5A4",
68 | 		"size":			4,
69 | 		"prev_data":	"5C D1 01 00",
70 | 		"patch":		"64 D1 01 00"
71 | 	}
72 | ]
73 | 


--------------------------------------------------------------------------------
/patches/278/patches.md:
--------------------------------------------------------------------------------
1 | # Patches
2 | To the best of my ability, I've documented the patched bytes included in the patch_userland.json file below.
3 | 
4 | ... coming soon! mostly, however, it matches 273's patches.
5 | 


--------------------------------------------------------------------------------
/patches/278/readme.md:
--------------------------------------------------------------------------------
1 | # iLO 2.78 Patch
2 | 
3 | This patch patches the signature checking in the kernel + bootloader (just like 250/), as well as applies modifications to the iLO to enable access to `health` calls.
4 | 
5 | HOWEVER! HPE has REMOVED all of our useful utilities in iLO 2.78. So, this patch is dead for now.
6 | 


--------------------------------------------------------------------------------
/patches/279/config:
--------------------------------------------------------------------------------
1 | NAME="279"
2 | BINARY_NAME="ilo4_279.bin"
3 | BINARY_URL="https://downloads.hpe.com/pub/softlib2/software1/sc-linux-fw-ilo/p192122427/v204995/CP049647.scexe"
4 | BINARY_SHA1="5eda64af2351907ef8f40cb828e88b554d46bc54"
5 | RESULT_SHA1="973c31a142489cdc02e800cbba75fc0021388055"
6 | 


--------------------------------------------------------------------------------
/patches/279/patch_bootloader.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Patch signature check : BNE XX -> MOV R0, #0",
 4 | 		"offset":		"0x38BC",
 5 | 		"size":			4,
 6 | 		"prev_data":	"4000001A",
 7 | 		"patch":		"0000A0E1"
 8 | 	}
 9 | ]
10 | 


--------------------------------------------------------------------------------
/patches/279/patch_kernel.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Patch signature check : BEQ XX -> B XX",
 4 | 		"offset":		"0x1FBB0",
 5 | 		"size":			4,
 6 | 		"prev_data":	"0400000A",
 7 | 		"patch":		"040000EA"
 8 | 	}
 9 | ]
10 | 


--------------------------------------------------------------------------------
/patches/279/patch_userland.json:
--------------------------------------------------------------------------------
 1 | [
 2 | 	{
 3 | 		"remark": 		"Bypass signature check : BEQ XX -> B XX",
 4 | 		"offset":		"0x964ADC",
 5 | 		"size":			4,
 6 | 		"prev_data":	"1D 00 00 0A",
 7 | 		"patch":		"1D 00 00 EA"
 8 | 	},
 9 | 	{
10 | 		"remark": 		"Rename `quit` to `OCBB`",
11 | 		"offset":		"0xB73F70",
12 | 		"size":			4,
13 | 		"prev_data":	"71 75 69 74",
14 | 		"patch":		"4F 43 42 42"
15 | 	},
16 | 	{
17 | 		"remark": 		"Rename `VSPR` to `h`",
18 | 		"offset":		"0xB74084",
19 | 		"size":			5,
20 | 		"prev_data":	"56 53 50 5C 52",
21 | 		"patch":		"48 00 00 00 00"
22 | 	},
23 | 	{
24 | 		"remark": 		"Rename `DEBUG` to `OCSD`",
25 | 		"offset":		"0xB7409C",
26 | 		"size":			5,
27 | 		"prev_data":	"44 45 42 55 47",
28 | 		"patch":		"4F 43 53 44 00"
29 | 	},
30 | 	{
31 | 		"remark": 		"Rename `NULL_CMD` to `FAN`",
32 | 		"offset":		"0xB740F8",
33 | 		"size":			8,
34 | 		"prev_data":	"4E 55 4C 4C 5F 43 4D 44",
35 | 		"patch":		"46 41 4E 00 00 00 00 00"
36 | 	},
37 | 	{
38 | 		"remark": 		"Add function handler for new functions",
39 | 		"offset":		"0xAF1390",
40 | 		"size":			116,
41 | 		"prev_data":	"0D C0 A0 E1 20 D8 2D E9 04 B0 4C E2 8B 13 00 EB 9A 1F 8F E2 00 50 A0 E1 FE 96 00 EB 54 12 9F E5 04 00 95 E5 01 00 50 E1 09 00 00 1A 02 00 A0 E3 28 00 85 E5 08 00 A0 E3 60 00 85 E5 00 00 A0 E3 98 00 85 E5 2C 02 9F E5 36 00 00 EB 91 1F 8F E2 05 00 00 EA 04 00 A0 E3 28 00 85 E5 00 00 A0 E3 60 00 85 E5 98 00 85 E5 8B 1F 8F E2 04 00 95 E5 65 D7 FF EB",
42 | 		"patch":		"05 00 A0 E3 04 00 00 EA 06 00 A0 E3 02 00 00 EA 07 00 A0 E3 00 00 00 EA 08 00 A0 E3 0D C0 A0 E1 00 D8 2D E9 04 B0 4C E2 0A DC 4D E2 00 00 8D E5 00 30 A0 E3 04 20 8D E2 01 0A 87 E2 01 10 D0 E4 20 00 51 E3 01 30 C2 04 01 10 C2 14 00 00 51 E3 F9 FF FF 1A 00 30 C2 E5 0D 00 A0 E1 05 1C 8D E2 EE F8 00 EB 00 05 9D E5 00 A8 1B E9 00 00 00 00 00 00 00 00"
43 | 	},
44 | 	{
45 | 		"remark": 		"Add entry jump to OCBB",
46 | 		"offset":		"0xB8B25C",
47 | 		"size":			4,
48 | 		"prev_data":	"74 9E 01 00",
49 | 		"patch":		"74 D1 01 00"
50 | 	},
51 | 	{
52 | 		"remark": 		"Add entry jump to health",
53 | 		"offset":		"0xB8B470",
54 | 		"size":			4,
55 | 		"prev_data":	"7C C8 01 00",
56 | 		"patch":		"5C D1 01 00"
57 | 	},
58 | 	{
59 | 		"remark": 		"Add entry jump to OCSD",
60 | 		"offset":		"0xB8B4C4",
61 | 		"size":			4,
62 | 		"prev_data":	"C8 CE 01 00",
63 | 		"patch":		"6C D1 01 00"
64 | 	},
65 | 	{
66 | 		"remark": 		"Add entry jump to fan",
67 | 		"offset":		"0xB8B5A4",
68 | 		"size":			4,
69 | 		"prev_data":	"5C D1 01 00",
70 | 		"patch":		"64 D1 01 00"
71 | 	}
72 | ]
73 | 


--------------------------------------------------------------------------------
/patches/279/patches.md:
--------------------------------------------------------------------------------
1 | # Patches
2 | To the best of my ability, I've documented the patched bytes included in the patch_userland.json file below.
3 | 
4 | ... coming soon! mostly, however, it matches 273's patches.
5 | 


--------------------------------------------------------------------------------
/patches/279/readme.md:
--------------------------------------------------------------------------------
1 | # iLO 2.79 Patch
2 | 
3 | This patch patches the signature checking in the kernel + bootloader (just like 250/), as well as applies modifications to the iLO to enable access to `health` calls.
4 | 
5 | HOWEVER! HPE has REMOVED all of our useful utilities in iLO 2.78. So, this patch is dead for now.
6 | 


--------------------------------------------------------------------------------
/patches/latest:
--------------------------------------------------------------------------------
1 | 277
2 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | keystone-engine==0.9.2
2 | paramiko==2.9.2
3 | 


--------------------------------------------------------------------------------
/research/2022-02-15-initial-findings.md:
--------------------------------------------------------------------------------
  1 | # 2022-02-15: Initial Findings
  2 | 
  3 | ## First Glance
  4 | I begun my work reading through the iLO4 Toolbox docs & research papers. At first, I didn't actually realize the scripts from iLO4 toolbox existed (would have helped if I read the reddit thread), so I was splitting up binary files into their composite images by hand ... a lot of fun! Unfortunately, since the ELFs were compressed, splitting them by hand doesn't really work.
  5 | 
  6 | It took me a while to realize that though - I was pretty confused when the extracted ELF was missing bytes haphazardly within the header. Turns out there isn't some magic special ELF parser they use, they just compress the entire binary.
  7 | 
  8 | Here's a snippet of my very confused notes:
  9 | ```
 10 | Genuine firmware starts with signatures:
 11 | HP Signed File Header
 12 | certificates
 13 | HPImage blob
 14 | in bytes 0-1b1b
 15 | this can be deleted to start with "ILO4 v" text.
 16 | 
 17 | After trimming, payload is 1000000(h) long
 18 | 
 19 | Inside payload, multiple code sections
 20 | the first: 440(h) long (0-43F) (kernel main)
 21 | the second: EEFBC0(h) long (440-EEFFFF) (lots to unpack ...) (userland)
 22 | the third: 110000(h) long (EF0000-FFFFFF) (few changes here) (kernel recovery)
 23 | 
 24 | each payload has a header & is able to be compressed ...
 25 | 
 26 | a header:
 27 | 440h long
 28 | 	4 bytes: ilo magic string (4 bytes) (always "iLO4")
 29 | 	28 bytes: build version string (" v 2.73.2 11-Feb-2020"), truncated with 1A00
 30 | 	2 bytes: uint32 w/ 'type' 0x0800
 31 | 	2 bytes: uint32 w/ compression_type 0x0010
 32 | 	4 bytes: unknown field 0x25100000
 33 | 	4 bytes: unknown field 0xa66a1000
 34 | 	4 bytes: decompressed size (uint32) = 24026548 (doesn't change / doesn't matter?)
 35 | 	4 bytes: raw size / compressed size (uint32) = 13761901 (changes 30-33h!) (is the total byte size from header start - start of final pad)
 36 | 	4 bytes: load address (uint32) = 0xFFFFFFFF
 37 | 	4 bytes: unknown field 0x00000000
 38 | 	4 bytes: unknown field 0xFFFFFFFF
 39 | 	200 bytes: signature (doesn't have to change)
 40 | 	200 bytes: padding (filled with 0xFF..)
 41 | 
 42 | 
 43 | from original 273
 44 | compressed size D1FD6D raw size 16E9DB4
 45 | D1F92D long from elf start to start of padding
 46 | EEF780 with pad
 47 | D1FD6D
 48 | 
 49 | from fan 273
 50 | compressed size D1FCEA raw size 16E9DB4
 51 | D1F92D long from start - start of final pad
 52 | this value isn't correct for some reason ...? not sure why it was modified...
 53 | D1FD6D long
 54 | 
 55 | 
 56 | last block
 57 | 75ED9 long in original
 58 | 
 59 | ELF Header:
 60 | 7F 45 4C 46 01 01 01 60 0F F5 02 00 28 00 50 0D 34 00 03 94 FD 3B 6E 01 00 0C 17 00 0B 20 FF 00 72 02 28 00 74 02 73 B7
 61 | 	7F 45 4C 46: magic
 62 | 	01: ei_class (32bit)
 63 | 	01: ei_data (little-endian)
 64 | 	01: ei_version (elf 1)
 65 | 	60: ei_osabi (?? )
 66 | 	0F: ei_abiversion
 67 | 	F5: ei_pad (should be zero filled -- seems that we skip 6 bytes here 00 00 00 00 00 00 00 -> F5)
 68 | 	02 00: e_type (executable file)
 69 | 	28 00: e_machine (ARM)
 70 | 	// 50 0D 34 00: e_version entirely omitted? (should just be 1)
 71 | 	50 0D: e_entry (shortened to 2 byets / should be 4?)
 72 | 	34 00: e_phoff
 73 | ```
 74 | 
 75 | One thing that stands out in here, however, is that there's some weird behavior from the ilo4_toolbox re-packer:
 76 | it doesn't seem to adjust the iLO4 header to contain good values for the uncompressed-size / compressed-size of the binaries. This ended up causing some errors in the extract scripts when I had to retool them to work with the fan-commands repacked binary.
 77 | 
 78 | 
 79 | ## Getting iLO4 Toolbox Running
 80 | If we use the extract tool in iLO toolbox, we get something like this:
 81 | ```
 82 | python scripts/iLO4/ilo4_extract.py ilo4_273_stock.bin extract
 83 | bootloader.bin  cert0.x509  elf.bin  elf.sig       kernel_main.bin  kernel_main.sig      kernel_recovery.raw
 84 | bootloader.hdr  cert1.x509  elf.hdr  firmware.map  kernel_main.hdr  kernel_recovery.bin  kernel_recovery.sig
 85 | bootloader.sig  cert2.x509  elf.raw  hpimage.hdr   kernel_main.raw  kernel_recovery.hdr  sign_params.raw
 86 | ```
 87 | which provides us a pretty good baseline. We're only ever going to deal with kernel_main.bin and elf.bin -- that's the kernel and userland code. We'll have to move around some offsets for these two binaries, but I diff'd the .fancommands payload compared to to the original 273.bin and found the other bytes didn't change. (afterthought: technically, we patch the bootloader too, but it doesn't change in between releases)
 88 | 
 89 | We can also use the dissection ruby script to generate IDA configs. This works terrible on Linux but I run Ida on windows anyway:
 90 | ```
 91 | gem install bindata metasm
 92 | scripts/iLO4/dissection.rb extract/elf.bin
 93 | ```
 94 | That gives us an individual loader + script + module to prepare the memory perspective as seen by each process. This is extremely useful if we have calls that jump between loaded libraries (for instance, calling libc, etc, whose position might change between releases). However, for general analysis, its not super necessary and its easier to look at a regular Ida disassembly of elf.bin. Just know that some of the function jumps & memory calls are gonna be wrong and require adjustment.
 95 | 
 96 | ## Disassemble 273.bin.fancommands
 97 | I needed to be able to diff the changes made in the fan commands binary in order to start figuring out specific patches. However, the ilo4_extract script isn't really built to handle the packed binaries. It requires a header and signatures and a bunch of other junk. I tweaked the script (/misc/extract-after-compile.py) and I was able to get an extracted elf.bin out of 273.bin.fancommands
 98 | _NB: I had to tweak around with the binary a lot to get it to decode correctly ... specifically, I added some bytes to the beginning of the header (01 00 00 00 29 32 EC AE CC 69 D8 43 BD 0E 61 DC 34 06 F7 1B 00 00 00 00) and had to adjust the size right before the ELF and within the iLO4 header. Hopefully nobody will have to replicate this work, but for reference._
 99 | 
100 | Once I had a working elf.bin from fancommands, I was able to start working on figuring out the changes. Here's /u/phoenixdev's notes that helped me understand the changes I was seeing:
101 | 
102 | ```
103 | But the problem as of late is how to get interprocess communication working between the different pieces of the puzzle. The SSH app uses registered service calls to the Command Line Interface (CLI) app, which can simply use standard out (stdout) to send data back to the SSH session (or to some serial connector). The "health" and "fan" commands (along with two other commands which aren't as useful) live in the Health app and are registered as services that any other app can call to. The result of these commands is also printed out via stdout.
104 | 
105 | That's all background info. Now what has been accomplished so far is that I have renamed one command in the CLI program ("null_cmd", you use it all the time, don't you?) to "fan" and created a function that passed the arguments to the Health app's "fan" service. This enables me to use all of the "fan" command options, with one caveat. I don't get to see the output. I guess that different programs don't tie their stdouts together in iLO; only the CLI app somehow got direct access to writing to SSH.
106 | 
107 | There are three remaining steps: The first is to create a new service inside of the CLI app so that any app can eventually write to stdout. The second is to hijack the health app's printf function and redirect it to the new service. Finally, hack one more command ("vsp/r" - does the same exact thing as "vsp") and redirect it to the "h" command.
108 | ```
109 | 
110 | Onto [Reproducing v2.73](2022-02-16-reproducing-273.md)!
111 | 


--------------------------------------------------------------------------------
/research/2022-02-16-reproducing-273.md:
--------------------------------------------------------------------------------
 1 | # 2022-02-16: Reproducing 2.73
 2 | I write patches to fully reproduce /u/phoenixdev's patched iLO 2.73
 3 | 
 4 | Once I had the original v2.73 binary and phoenixdev's, finding the differences was pretty easy. I first ran bindiff, and was mostly confused by the results. But, since we're looking at byte-sized code injections, it's a lot easier to just diff the hexdumps.
 5 | 
 6 | Here's a quick summary of the first things I noticed:
 7 | - We have some new code with 4 entrypoints, likely related to the 4 new functions
 8 | ![New function entrypoints](img/new-function-entrypoints.png)
 9 | - We have a bunch of strings ("null_cmd", etc) that have changed values to our new functions (4 new strings)
10 | - There's some random 4 byte words that have changed in the CLI's .data file (4 of them!)
11 | - .health has had one function completely branched into a second function
12 | - The second function in .health seems to replace otherwise dead code, and contains some unknown code w/ a ref to "VSPChannel"
13 | - There's a change in the firmware update manager(? FUM) that bypasses a signature check during firmware updates
14 | 
15 | I didn't delay too much here: I took the offsets of each injection, and noted the original bytes and the new bytes. I wanted to produce v2.73 in a consistent manner first, so I took them as-is without worrying too much about changing any offsets / relative calls. I saved these patches into a JSON file for later automatic building.
16 | 
17 | ## Patch System
18 | There's a patch system built into ilo4_toolbox to allow their code injection example to work. However, it was pretty messy and not super extensible. So, I spun up a Git repo (you're on it!) and organized ilo4_toolbox's code into a submodule. Then, I rewrote their patching code into something that can take patches from a JSON file. I'm not really a python dev, but I suffered for a short script since the original was all Python.
19 | 
20 | ## End of Day Products
21 | I've fully produced a byte-for-byte replica of phoenixdev's original firmware, using explicitly patches that have been documented in patches/273/patches.md. There's still more work to be done in terms of researching each patch to replicate it on the latest iLO version, but that's for tomorrow.
22 | 
23 | Onto [Docs](2022-02-17-docs.md)!
24 | 


--------------------------------------------------------------------------------
/research/2022-02-17-docs.md:
--------------------------------------------------------------------------------
  1 | # 2022-02-17: Docs
  2 | I work up a build system to transparently build iLO binaries & read a bunch of assembly.
  3 | 
  4 | Now that I had an identical file for v2.73, I knew I was in a good place to work on migrating v2.79. However, before I could, I needed to actually understand the implications of the code within v2.73, so I could adjust relative calls as necessary. I got distracted a lot here looking into random stuff, so pardon the mess. Here's some snippets from my findings:
  5 | 
  6 | _NB: most of the useful info here is also written in the patches/273/patches.md file!_
  7 | 
  8 | ```
  9 | shell commands are stored in struct array -- see:
 10 | 
 11 | 00000000 shell_cmd       struc ; (sizeof=0x1C, mappedto_3)
 12 | 00000000                                         ; XREF: .ConAppCLI.elf.data:0220D5E4/r
 13 | 00000000 addr1           DCD ?
 14 | 00000004 addr2           DCD ?                   ; offset (00000000)
 15 | 00000008 addr3           DCD ?                   ; offset (00000000)
 16 | 0000000C addr4           DCD ?                   ; offset (00000000)
 17 | 00000010 num0            DCD ?                   ; offset (00000000)
 18 | 00000014 num1            DCD ?                   ; offset (00000000)
 19 | 00000018 num2            DCD ?                   ; offset (00000000)
 20 | 0000001C shell_cmd       ends
 21 | 0000001C
 22 | 54 shell commands defined
 23 | order appears to match strings in string list
 24 | 
 25 | a case study for 'help' command:
 26 | help is #7 (indx 6)
 27 | 4C FA 09 00 - addr1 (0009FA4C)
 28 | 28 8B 01 00 - entry (00018B28)
 29 | A4 3F 01 00 - addr3 (00013FA4)
 30 | A4 50 01 00 - addr4 (000150A4)
 31 | 
 32 | entrypoint is @
 33 | .ConAppCLI.elf.text:0216EB28 (CLI_helpHandler)
 34 | .ConAppCLI.elf.text begins @ 02166000
 35 | virtual memory begins at 0x00010000 so
 36 | entry @ 0x18B28 - 0x10000 + 0x02166000 = 0x216EB28 = CLI_helpHandler
 37 | 
 38 | addr1 = points to name string
 39 | addr2 = points to entrypoint fn
 40 | addr3 = points to `version help` function
 41 | addr4 = points to `help help` function
 42 | ```
 43 | This is the shell command data stored in .ConAppCLI.elf.data - basically a big array of commands that each have a pointer to their name, entrypoint, help, and version data. This makes sense, since our patch that shifts the entrypoint changes these bytes 4x, once for each function call. Specifically, as one might imagine, it shifts `addr2` which is the entrypoint. Once I figured out how the pointers worked in virtual memory (they're relative to the running memory, which would make sense & is a lot easier to view in the dissected view of the task from ilo4_toolbox!) it was pretty easy to figure out how we're adjusting them to point to our new entrypoints.
 44 | 
 45 | ```
 46 | .health call traced back; uses jumptable w/ 5/6/7/8 value to call fan
 47 | ```
 48 | In our entrypoints, we had some magic numbers 5/6/7/8 that was used to setup the fan/ocsd/health/ocbb calls. Turns out that .health has a big jump table / switch statement and these correspond (I guess probably to an enum) to call different functions. No surprises here, but I dug it up because I was curious what the magic numbers came from. (afterthought: this was also important to verifying the jumptable didn't change order etc between versions)
 49 | 
 50 | I did some additional digging into random stuff to figure out how arguments were being passed. I didn't really make too much progress, but I learned a good amount about the codebase:
 51 | ```
 52 | let's trace another function:
 53 | oemhp_ping takes in a single arg:
 54 | "oemhp_ping 127.0.0.1"
 55 | and reports a success string
 56 | (it also can be used more complexly:
 57 | oemhp_ping [-s size] [-c count] [-i interval] address
 58 | 
 59 | the string is defined in text at 021F5AC4
 60 | giving a relative offset of:
 61 | 0x21F5AC4 - 0x2166000 + 0x10000 = 0x9FAC4 (C4 FA 09 00)
 62 | this reveals the command to exist @ .ConAppCLI.elf.data:0220D868
 63 | and its entrypoint is
 64 | 80 A0 01 00 -> 0x01A080 + 0x2166000 - 0x10000 = 0x2170080
 65 | 
 66 | (at this point i remembered we can also use the CLI_...handler convention to find the function call)
 67 | 
 68 | .ConAppCLI.elf.text:02170080
 69 | allocates less space on the stack (#0x100)
 70 | Runs 78 01 1F E5
 71 | 
 72 | at this point, let me install the arm toolchain quickly to help me debug some of these lines
 73 | https://web1.foxhollow.ca/?menu=centos7arm
 74 | 
 75 | here's a usecase:
 76 | echo "0: 25 10 d5 e5" | xxd -r > a.bin && arm-none-eabi-objdump -D -m arm -b binary a.bin
 77 | ->    0:	e5d51025 	ldrb	r1, [r5, #37]	; 0x25
 78 | 
 79 | Runs
 80 | 0:	e51f0178 	ldr	r0, [pc, #-376]
 81 | anyway:
 82 | allocates 0x100 on stack
 83 | saves R0 (R5) and calls sub_2177F9C
 84 | saves result (R6), calls sub_2198D74 w/ R1 string (some kind of logging?)
 85 | loads 0x1570 to R0
 86 | looks like a null pointer test
 87 | 
 88 | R6 is the return value from sub_2177F9C
 89 | (not really sure what this is .... given the offset, probably some kind of
 90 | object? maybe a context-preserving obj)
 91 | R1 = R6+0x1570
 92 | R0 = SP
 93 | R0 = initial R0
 94 | R1 = "/map1" string - base address... like a regkey?
 95 | (can show/set/etc)
 96 | calls sub_2173B98 (change targets) -- this would
 97 | be the equivalent to `cd /map1`
 98 | 
 99 | R0 = R5 (initial R0)
100 | 
101 | call sub_216DB3C ( "Ping Target")
102 | 
103 | grabs context w/ context_grab
104 | accesses CTX+0x1780 -> +0x28 = R1
105 | nested structure
106 | 
107 | 0x1780 contains a pointer to unk_struct
108 | unk_struct has a value at 0x28
109 | 
110 | if R1 is nonzero
111 | 	calls value at R1 ...
112 | else
113 | 	stores 2 @ CTX+0x28
114 | 	stores 0xA @ CTX+0x60
115 | 	stores 0xB @ CTX+0x98
116 | 	stores 0xB @ CTX+0x04
117 | calls display_stats, which populates based on CTX ... makes sense
118 | ```
119 | 
120 | The train of thought here is pretty scattered. I'm tracing through a random CLI method line-by-line trying to figure out how it initializes and parses arguments. The most interesting thing I found here is that there's an object that has specific commands attached to our `context` (more on that below). Here's a rough writeup:
121 | ```
122 | CTX {
123 | ...
124 | 	0x1780 cmdRef {
125 | 		0x0 cmd ptr (#0) (used by ShowTarget)
126 | 		0x28 cmd ptr (#40) (used by PingTarget)
127 | 		0x30 cmd ptr () (used by DeleteSSHKeyTarget)
128 | 		0x34 cmd ptr () (used by ResetHotkeysTarget)
129 | 		0x2C cmd ptr (#44) (used by loadSSHKeyTarget)
130 | 		0xnn undefinedcmd = 0
131 | 	}
132 | }
133 | ```
134 | 
135 | but context??:
136 | CLI commands open with a call to something that I call 'context_grab'. It passes in R0 and gets a struct back with some data. I figured out that the structure for that looks like this:
137 | ```
138 | context_grab(data) {
139 | 	some_table = [];
140 | 	index_of(data) {
141 | 		for(int i = 0; i < 6; i++) {
142 | 			if(some_table[i][4] == data)
143 | 				return i;
144 | 		}
145 | 		return 6;
146 | 	}
147 | 	var indx = index_of(data);
148 | 	if(indx > 6) return 0;
149 | 	return some_table[indx]
150 | }
151 | ```
152 | Essentially, it just loops through the struct and finds a value based on some unique `data` value. This is R0 within the function calls. The 'some_table' struct is my next search. It seems to be allocated a pointer within the .data section, but its just zero'd out. Realistically, it should be in .bss since its an uninitialized global. Not sure what happened there. Anyway, its an array that gets allocated at runtime so not much to dissect. I used some of the construction code to get a rough outline:
153 | ```
154 | ConnectionRecords[] = [
155 | 	Record Ptr {
156 | 		0x0: value of UNK+0x108
157 | 		0x4: ??? some kind of unique identifier? (used by context_grab)
158 | 		0x8: PostSemaphore
159 | 		0xC: ReadSemaphore
160 | 		0x14: 0
161 | 		0x18:
162 | 		0x24: 0
163 | 		0x1C: 0
164 | 		0x28: 0
165 | 		0x60: 0
166 | 		0x98: 0
167 | 		0x264: ?
168 | 		0x1164: (init)
169 | 		0x126C: (init)
170 | 		0x1570: ?
171 | 	}
172 | ]
173 | ```
174 | This ConnectionRecord seems to have a fixed max length of 6. I noticed that after 5 SSH clients, I can't connect to the server anymore. So these connectionrecords get allocated individually for SSH clients (either I have an off-by-one error in my reading, or there's another permanently open ConnectionRecord that might correspond to the iLO's serial shell).
175 | 
176 | So, the start of each CLI function:
177 | has some R0, uses context_grab to get the pointer to the ConnectionRecord for the relevant connection.
178 | They use the ConnectionRecord for a few things - some stuff that looks suspiciously like string args!
179 | ```
180 | calls dword_38D8F54 (libintegrity) w/ (SP, 0x200)
181 | access connectionRecord[0x1570] & pass it to R1
182 | sub_39088D4(SP+0x900, connectionRecord[0x1570]) // this ends up being SP-0x100 based on entry since we shift SP
183 | this is some libc call - it checks == 3 and performs operations ...
184 | 
185 | sub_3908800(connectionRecord[0x264]) -> strlen
186 | if(length = 0) -> prints full help
187 | 
188 | sub_3908800(connectionRecord[0x364]) -> strlen
189 | if(length = 0) -> jumps down
190 | calls dword_38D8F54(SP+800, 0x40)
191 | ```
192 | Could connectionRecord contain the last inputted string, already spaced out? i.e.
193 | first argument @ [0x264], second argument @ [0x364]?
194 | 
195 | Certainly possible, but it wasn't used in phoenixdev's code so I tried my best to ignore it. Their code relies on some magic offset from r7, but I have no idea where r7 came from since its not initialized within the function. It would break caller convention to have input data in r7 when the function is called, though that might not matter here since our CLI functions are really an 'inner' / anonymous function of sorts. It'd be worthwhile to find the triggerer that actually calls the function from the lookup table. But I haven't found / looked too hard yet. It might define r7 to be something that makes this make more sense.
196 | 
197 | Onto [Building v2.79](2022-02-18-building-279.md)!
198 | 


--------------------------------------------------------------------------------
/research/2022-02-18-building-279.md:
--------------------------------------------------------------------------------
 1 | # 2022-02-18: Building v2.79
 2 | I write patches for v2.79
 3 | 
 4 | Before I dig into this, I looked at the changes between v2.73 and v2.79:
 5 | ```
 6 | Version:2.79 (25 Nov 2021)
 7 | Java certificate for IRC shows expired.
 8 | "Mark as Repaired" button for alerts in IML UI page is greyed out.
 9 | iLO GUI doesn't show the time adjusted to the timezone.
10 | General Exception encountered while launching Java IRC.
11 | iLO 4 sends multiple unwanted SNMP traps with specific ID in a day.
12 | SNTP settings couldn't be configured in the GUI with iLO 4 v2.77 and above.
13 | iLO Events submitted by Direct Connect devices arrive in HPE backend application of Remote Support Data Center with incorrect GUIDs.
14 | 
15 | Version:2.78 (7 May 2021)
16 |  -  Updated Jquery library to 3.5.1
17 |  -  Updated Openssl library to OpenSSL 1.0.2x
18 |  -  eRS enhanced to support generic service event 1000 for critical events
19 | - IML reports fan modules failed for D3000 only after server reboot
20 |     - eRS service event added for Critical events like System Power Fault Detection
21 |     - Security fixes
22 |           - Added a Content Security Policy( CSP) to harden the web interfaces
23 |           - Enhanced Input validation for user controlled data
24 | - Fixes for multiple security vulnerabilities
25 | 
26 | Version:2.77 (17 Dec 2020)
27 | Added support to display login banner SSH login
28 | Potential vulnerabilities in network stack. Click here to know more about the Security Vulnerabilities.
29 | Active directory test may fail during LDAP authentication.
30 | 
31 | Version:2.76 (4 Nov 2020)
32 | Users can view and modify the System thermal configuration settings using iLO interfaces.
33 | On a server that is registered for Remote Support, if you download the Active Health System Log when Active Health System reporting information is being sent to Hewlett Packard Enterprise, the downloaded file might contain only baseline information.
34 | The Smart Storage Battery might be listed on the System Information > Network page in the iLO web interface.
35 | 
36 | Version:2.75 (18 Aug 2020)
37 | Potential Ripple20 vulnerabilities affecting the TCP/IP stack.
38 | 
39 | Version:2.74 (16 May 2020)
40 | iLO 4  does not enforce the requirement for strong host keys when the Enforce AES/3DES Encryption and FIPS mode settings are enabled
41 | 
42 |  - doesn't look like anything that will burn us?
43 | ```
44 | Actually writing the patches for v2.79 was very easy. I used my AoBs (these are best documented in patches/277/patches.md) to find each function and only had to modify offsets. None of the bytes needed to change, although that took some work to realize. (afterthought: this is actually false, we'll see that in the next page). I scanned for AoBs and replaced the functions.
45 | 
46 | I had to do some double checking to make sure command order / etc didn't change -- turns out it seems to never change between versions. I flashed the iLO with my v2.79 firmware and it was pretty good (it booted, anyway):
47 | ```
48 | notes:
49 | 	fan didn't come down after flashing + iLO restarting
50 | 	weird fan behavior during boot sequence? fans not running during thermal testing ...
51 | 	`help` works fine on SSH, but fan command causes a stall
52 | 	stall eventually trips a watchdog and makes the iLO reset
53 | 		after reset, the web portal never comes back up but SSH does? kinda strange
54 | 	my assumption: patch on stdout redirect didn't apply correctly causing the hanging, but otherwise the firmware is ok
55 | 	validating this by removing the stdout patch entirely and testing
56 | ```
57 | ```
58 | after removing stdout patch:
59 | 	fans come down after flashing
60 | 	all of this behavior makes a lot of sense if the internal service is calling `health` and its erroring. the controller can't get the fan speeds up during boot nor after flashing, making them awkwardly hang
61 | 
62 | 
63 | 	anyway - now the health service is ok and running the fans properly via iLO. however, im not getting expected output
64 | 	from my commands. i think something is wrong with the arg processor so i'll have to test that next.
65 | ```
66 | This result was actually what prompted me to dig into the arg processing code in the last page (I'm writing this a bit out of order).
67 | 
68 | After a long day of digging around, I thought that the arg parser might be fine but the switch statement might have been shuffled. Essentially, I was calling the wrong functions in .health but otherwise parsing arguments correctly.
69 | 
70 | This was when I, with much disappointment, realized that the `fan` CLI tool (and the other health/ocsd/ocbb tools) were entirely removed from v2.79. To emphasize how much code was missing that I didn't realize, here's the graph from the fan tool that is entirely absent in v2.79:
71 | ![.health Fan Function](img/health_fan_function.png)
72 | 
73 | Anyway. I moved my offsets to v2.78 and got that working -- still no dice. I liked v2.78 originally because I glanced at the included strings in the binary -- which included all the help text for the `fan` CLI tool. However, the actual code to run it is gone and the strings have no references. Oops. I loaded up v2.77 and was pleased to find the fan CLI tool in all its glory. Time to move my patches for now. Hopefully we can return to looking at v2.78+, but for now I'm getting out while I'm ahead and patching v2.77 and calling it a day.
74 | 
75 | Onto [v2.77](2022-02-19-onto-277.md)!
76 | 


--------------------------------------------------------------------------------
/research/2022-02-19-onto-277.md:
--------------------------------------------------------------------------------
 1 | # 2022-02-19: Building v2.77
 2 | 
 3 | Building v2.77 was pretty easy ... at this point, I've written offsets for v2.73, v2.79, and v2.78. I was pretty used to it.
 4 | 
 5 | I booted up and had the same issues with stdout -- the iLO hung if I called any of my fan commands. I stripped out the stdout function calls, and was very happy to see the `fan` commands WORKING! All that remains is to patch stdout.
 6 | 
 7 | ## Stdout fixes
 8 | I wasn't surprised to see the stdout patch was breaking. It was the part of the code I looked at the least. I dug around for a while trying to find why the references would be messed up and break the stdout code. Ultimately, the solution was obvious and I documented it in patches/277/patches.md.
 9 | 
10 | I didn't take very good notes here, so I don't have much to share. However, with the stdout bugs patched ...
11 | 
12 | it works!
13 | 
14 | 
15 | ## Closing Thoughts
16 | This ends my (maybe first/only, maybe just first) research sprint into this project. I'll be releasing v2.77 to the community.
17 | 
18 | Here's some stuff that needs additional work:
19 | I'd love to patch the SSH bug where output is only shown on the first SSH shell. I'm pretty sure this is doable and depends on my research into the Connection Records previously done. Hopefully I can make something without too much work
20 | And patching v2.78+ ... this is a monumentally large project and not really worth it to me. So we'll see.
21 | 


--------------------------------------------------------------------------------
/research/img/273-277-vspchannel-comparison.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kendallgoto/ilo4_unlock/120ed240377c1480358e94a03707871f434f38f8/research/img/273-277-vspchannel-comparison.png


--------------------------------------------------------------------------------
/research/img/conapp-closing-connection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kendallgoto/ilo4_unlock/120ed240377c1480358e94a03707871f434f38f8/research/img/conapp-closing-connection.png


--------------------------------------------------------------------------------
/research/img/conapp-get-current-context.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kendallgoto/ilo4_unlock/120ed240377c1480358e94a03707871f434f38f8/research/img/conapp-get-current-context.png


--------------------------------------------------------------------------------
/research/img/health-ipc-call.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kendallgoto/ilo4_unlock/120ed240377c1480358e94a03707871f434f38f8/research/img/health-ipc-call.png


--------------------------------------------------------------------------------
/research/img/health-jump-table.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kendallgoto/ilo4_unlock/120ed240377c1480358e94a03707871f434f38f8/research/img/health-jump-table.png


--------------------------------------------------------------------------------
/research/img/health_fan_function.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kendallgoto/ilo4_unlock/120ed240377c1480358e94a03707871f434f38f8/research/img/health_fan_function.png


--------------------------------------------------------------------------------
/research/img/keypatch-function-entrypoints.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kendallgoto/ilo4_unlock/120ed240377c1480358e94a03707871f434f38f8/research/img/keypatch-function-entrypoints.png


--------------------------------------------------------------------------------
/research/img/new-function-entrypoints.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kendallgoto/ilo4_unlock/120ed240377c1480358e94a03707871f434f38f8/research/img/new-function-entrypoints.png


--------------------------------------------------------------------------------
/research/img/patch-for-273-identical.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kendallgoto/ilo4_unlock/120ed240377c1480358e94a03707871f434f38f8/research/img/patch-for-273-identical.png


--------------------------------------------------------------------------------
/research/img/unkn-libc-call.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kendallgoto/ilo4_unlock/120ed240377c1480358e94a03707871f434f38f8/research/img/unkn-libc-call.png


--------------------------------------------------------------------------------
/research/img/vspchannel-logging-ipc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kendallgoto/ilo4_unlock/120ed240377c1480358e94a03707871f434f38f8/research/img/vspchannel-logging-ipc.png


--------------------------------------------------------------------------------
/research/readme.md:
--------------------------------------------------------------------------------
 1 | # Research Notes
 2 | 
 3 | Please note: I took pretty hasty & quick notes while I worked. I've try to organize them more clearly for the benefit of future researchers.
 4 | 
 5 | A disclaimer: I'm not professionally trained in reverse engineering, assembly, or ARM code. I've explored all three areas, but not with great depth. I'm a student & run a homelab in my bedroom, creating my intrigue in working on this. I had many firsts along the way, dug myself into many holes, and wasted lots of time running in circles.
 6 | 
 7 | - [2022-02-15: Initial Findings](2022-02-15-initial-findings.md)
 8 | - [2022-02-16: Reproducing v2.73](2022-02-16-reproducing-273.md)
 9 | - [2022-02-17: Docs](2022-02-17-docs.md)
10 | - [2022-02-18: Building v2.79](2022-02-18-building-279.md)
11 | - [2022-02-19: Onto v2.77](2022-02-19-onto-277.md)
12 | 


--------------------------------------------------------------------------------
/scripts/aterfax-silence-dl380pG8-screen.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | #
 3 | # Provided by https://github.com/Aterfax in PR #3
 4 | # Set up using Cron rules (crontab -e)
 5 | # @restart /home/whatever/my-start-script.sh # trigger script at bootup
 6 | # */6 * * * * /usr/bin/screen -S my-screen-name -X stuff 'fan info'`echo -ne '\015'` # send fan info regularly to keep alive
 7 | #
 8 | # This setup is tuned for my DL380p Gen8 LFF server with additional PCIe cards.
 9 | # We establish a screen session, SSH to iLO4 and "stuff" it with commands.
10 | # This preserves the first TTY in the screen session connected with iLO4
11 | # so further command input/output can be visualised.
12 | # We're avoiding the "output only goes in the first SSH session/TTY" bug!
13 | #
14 | # SSH is reliant on you using SSH keys and having these setup already.
15 | 
16 | IP=X.X.X.X # CHANGEME
17 | SCREEN_NAME=iLO4fansession
18 | 
19 | IP=${IP} screen -dmS $SCREEN_NAME
20 | 
21 | echo -e "Establishing SSH session inside screen."
22 | 
23 | screen -S $SCREEN_NAME -X stuff 'ssh -t  Administrator@${IP} -o LocalCommand="fan info"'`echo -ne '\015'`
24 | 
25 | echo -e "Sleeping for 5 seconds."
26 | 
27 | sleep 5
28 | 
29 | echo -e "Resuming fan commands."
30 | 
31 | # `echo -ne '\015'` emulates pressing the Enter key.
32 | 
33 | # Set fan minimums.
34 | screen -S $SCREEN_NAME -X stuff 'fan p 0 min 50'`echo -ne '\015'`
35 | screen -S $SCREEN_NAME -X stuff 'fan p 1 min 50'`echo -ne '\015'`
36 | screen -S $SCREEN_NAME -X stuff 'fan p 2 min 50'`echo -ne '\015'`
37 | screen -S $SCREEN_NAME -X stuff 'fan p 3 min 65'`echo -ne '\015'`
38 | screen -S $SCREEN_NAME -X stuff 'fan p 4 min 65'`echo -ne '\015'`
39 | screen -S $SCREEN_NAME -X stuff 'fan p 5 min 65'`echo -ne '\015'`
40 | 
41 | # Ignore HD Cage sensor due to non-HP branded HDDs.
42 | screen -S $SCREEN_NAME -X stuff 'fan t 12 off'`echo -ne '\015'`
43 | 
44 | # Ignore PCIe slots cage 1 sensors?
45 | screen -S $SCREEN_NAME -X stuff 'fan t 32 off'`echo -ne '\015'`
46 | screen -S $SCREEN_NAME -X stuff 'fan t 33 off'`echo -ne '\015'`
47 | screen -S $SCREEN_NAME -X stuff 'fan t 34 off'`echo -ne '\015'`
48 | screen -S $SCREEN_NAME -X stuff 'fan t 35 off'`echo -ne '\015'`
49 | screen -S $SCREEN_NAME -X stuff 'fan t 36 off'`echo -ne '\015'`
50 | screen -S $SCREEN_NAME -X stuff 'fan t 37 off'`echo -ne '\015'`
51 | screen -S $SCREEN_NAME -X stuff 'fan t 38 off'`echo -ne '\015'`
52 | 
53 | # Ignore PCIe slots cage 2 sensors?
54 | screen -S $SCREEN_NAME -X stuff 'fan t 52 off'`echo -ne '\015'`
55 | screen -S $SCREEN_NAME -X stuff 'fan t 53 off'`echo -ne '\015'`
56 | screen -S $SCREEN_NAME -X stuff 'fan t 54 off'`echo -ne '\015'`
57 | screen -S $SCREEN_NAME -X stuff 'fan t 55 off'`echo -ne '\015'`
58 | screen -S $SCREEN_NAME -X stuff 'fan t 56 off'`echo -ne '\015'`
59 | screen -S $SCREEN_NAME -X stuff 'fan t 57 off'`echo -ne '\015'`
60 | screen -S $SCREEN_NAME -X stuff 'fan t 58 off'`echo -ne '\015'`
61 | screen -S $SCREEN_NAME -X stuff 'fan t 59 off'`echo -ne '\015'`
62 | screen -S $SCREEN_NAME -X stuff 'fan t 60 off'`echo -ne '\015'`
63 | screen -S $SCREEN_NAME -X stuff 'fan t 61 off'`echo -ne '\015'`
64 | screen -S $SCREEN_NAME -X stuff 'fan t 62 off'`echo -ne '\015'`
65 | screen -S $SCREEN_NAME -X stuff 'fan t 63 off'`echo -ne '\015'`
66 | 
67 | 


--------------------------------------------------------------------------------
/scripts/cf-dynamic-fans.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | ###
 4 | ### This script adjusts the fan speed based on the highest temperature
 5 | ### Use with https://github.com/kendallgoto/ilo4_unlock/blob/main/scripts/ja-silence-dl20G9.sh to unlock the iLO4 fan control and run the original script first to establish a screen session.
 6 | ### Then this script can run via a .timer unit to adjust the fan speed every x seconds/minutes.
 7 | ###
 8 | ### Required packages: freeipmi, lm-sensors, jq, screen
 9 | ### freeipmi might need additional configuration if the os you're executing this on isn't the same as the server you're trying to control.
10 | ### You can also use ipmitool instead of freeipmi, but you'll need to adjust the script accordingly. I had issues with ipmitool correctly formatting how I wanted things, ipmi-sensors was much easier to work with.
11 | ###
12 | ### Example .timer unit:
13 | ### [Unit]
14 | ### Description=Adjust fan speed
15 | ###
16 | ### [Timer]
17 | ### OnBootSec=10s
18 | ### OnUnitActiveSec=1m
19 | ### Unit=fan_autocontrol.service
20 | ###
21 | ### [Install]
22 | ### WantedBy=timers.target  
23 | ###
24 | ### Example .service unit:
25 | ### [Unit]
26 | ### Description=Adjust fan speed
27 | ###
28 | ### [Service]
29 | ### Type=oneshot
30 | ### ExecStart=/path/to/fan_autocontrol.sh (name of this script)
31 | ###
32 | ### [Install]
33 | ### WantedBy=multi-user.target
34 | ###
35 | 
36 | 
37 | # Configuration
38 | SCREEN_NAME="iLO4fansession"
39 | MIN_TEMP=45  # Lowered the minimum temperature to 45 degrees Celsius
40 | MAX_TEMP=67
41 | MIN_SPEED=40
42 | MAX_SPEED=255
43 | TEMP_RANGE=$((MAX_TEMP - MIN_TEMP))  # 22
44 | SPEED_RANGE=$((MAX_SPEED - MIN_SPEED))  # 215
45 | 
46 | adjust_fan_speed() {
47 |     local TEMPERATURE=$1
48 |     local FAN_GROUP=$2
49 |     local SPEED
50 | 
51 |     if [ "$TEMPERATURE" -le $MIN_TEMP ]; then
52 |         SPEED=$MIN_SPEED
53 |     elif [ "$TEMPERATURE" -ge $MAX_TEMP ]; then
54 |         SPEED=$MAX_SPEED
55 |     else
56 |         # Calculate speed based on the temperature
57 |         SPEED=$(($MIN_SPEED + ($TEMPERATURE - $MIN_TEMP) * $SPEED_RANGE / $TEMP_RANGE))
58 |     fi
59 | 
60 |     # Apply the calculated speed to each fan in the group
61 |     for FAN in $FAN_GROUP; do
62 |         screen -S $SCREEN_NAME -X stuff "fan p $FAN max $SPEED"`echo -ne '\015'`
63 |     done
64 | }
65 | 
66 | # Read temperatures from sensors and IPMI
67 | CPU1_TEMP=$(sensors -Aj coretemp-isa-0000 | jq '.[][] | to_entries[] | select(.key | endswith("input")) | .value' | sort -rn | head -n1)
68 | CPU2_TEMP=$(sensors -Aj coretemp-isa-0001 | jq '.[][] | to_entries[] | select(.key | endswith("input")) | .value' | sort -rn | head -n1)
69 | HIGHEST_TEMP_IPMI=$(ipmi-sensors -t Temperature --ignore-not-available-sensors --comma-separated-output | awk -F, 'NR>1 && $4+0 == $4 {if ($4 > max) {max = $4}} END {print int(max)}')
70 | 
71 | # Convert temperatures to integers and find the highest
72 | CPU1_TEMP=${CPU1_TEMP%.*}
73 | CPU2_TEMP=${CPU2_TEMP%.*}
74 | HIGHEST_TEMP_IPMI=${HIGHEST_TEMP_IPMI%.*}
75 | HIGHEST_TEMP=$((CPU1_TEMP > CPU2_TEMP ? CPU1_TEMP : CPU2_TEMP))
76 | HIGHEST_TEMP=$((HIGHEST_TEMP > HIGHEST_TEMP_IPMI ? HIGHEST_TEMP : HIGHEST_TEMP_IPMI))
77 | 
78 | # Output the highest temperature
79 | echo "Temperatures:"
80 | echo "CPU1: $CPU1_TEMP°C"
81 | echo "CPU2: $CPU2_TEMP°C"
82 | echo "Highest IPMI: $HIGHEST_TEMP_IPMI°C"
83 | echo "Highest: $HIGHEST_TEMP°C"
84 | 
85 | # Define fan groups based on your setup
86 | FAN_GROUP="0 1 2 3 4 5"  # Example fan group
87 | 
88 | # Adjust fan speeds based on the highest temperature
89 | adjust_fan_speed "$HIGHEST_TEMP" "$FAN_GROUP"
90 | 


--------------------------------------------------------------------------------
/scripts/djaenk-quiet-dl380pG8.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # I use this on my DL380p Gen8 running Proxmox VE 7.2.
 4 | # The server has two of its eight SFF bays populated and is otherwise stock.
 5 | # I consider this a safer solution than explicitly disabling sensors or
 6 | # throttling fans because it reduces the minimum fan speed for an overreactive
 7 | # sensor while keeping all other fan curves. I wouldn't say this silences the
 8 | # server, but it does make it magnitudes quieter. Referenced from
 9 | # https://www.reddit.com/r/homelab/comments/di3vrk/silence_of_the_fans_controlling_hp_server_fans/firx6op/
10 | 
11 | # Replace these values with those relevant to your iLO. Alternatively,
12 | # consider defining them with environment variables.
13 | 
14 | IP=x.x.x.x
15 | USER='Administrator'
16 | PWD='password'
17 | OPT='-oKexAlgorithms=+diffie-hellman-group14-sha1'
18 | 
19 | sshpass -p $PWD ssh ${OPT} $USER@$IP 'fan info'
20 | sshpass -p $PWD ssh ${OPT} $USER@$IP 'fan pid 47 lo 1600'
21 | 
22 | # The script can be triggered on startup with a crontab.
23 | # While writing the cron job, a one liner can be used instead:
24 | # @reboot sshpass -p password ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 Administrator@x.x.x.x 'fan pid 47 lo 1600'
25 | 


--------------------------------------------------------------------------------
/scripts/dl360gen9-silent.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Variables
 4 | ilo_user="#"          # Replace with your iLO username
 5 | ilo_pass="#"          # Replace with your iLO password
 6 | ilo_host="#"          # Replace with your iLO hostname or IP address
 7 | 
 8 | # Options to enable older key exchange and host key methods
 9 | ssh_options="-o KexAlgorithms=diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 -o HostKeyAlgorithms=ssh-rsa,ssh-dss -o StrictHostKeyChecking=no"
10 | 
11 | # Loop through the sensor numbers and send the command
12 | for sensor in {01..46} #set lo 1600 to all sensors (in my case 46 sensors) 
13 | do
14 |     sshpass -p $ilo_pass ssh $ssh_options $ilo_user@$ilo_host "fan pid $sensor lo 1600"
15 | done
16 | 


--------------------------------------------------------------------------------
/scripts/ja-silence-dl20G9.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | #
 3 | # Modified from aterfax-silence-dl380pG8-screen.sh by https://github.com/Aterfax in PR #3
 4 | #
 5 | # Set up using Cron rules (crontab -e)
 6 | # @reboot /home/whatever/my-start-script.sh # trigger script at bootup
 7 | # */6 * * * * /usr/bin/screen -S iLO4fansession -X stuff 'fan info'`echo -ne '\015'` # send fan info regularly to keep alive
 8 | #
 9 | # This setup is tuned for my DL20 Gen 9 server with additional PCIe cards.
10 | # You should monitor your temps and your workload, but fans should still ramp up since this doesn't disable most sensors.
11 | #
12 | # We establish a screen session, SSH to iLO4 and "stuff" it with commands.
13 | # This preserves the first TTY in the screen session connected with iLO4
14 | # so further command input/output can be visualised.
15 | # We're avoiding the "output only goes in the first SSH session/TTY" bug!
16 | #
17 | # SSH is using SSH keys to connect in this example. Generate a key then add in iLO.
18 | 
19 | IP=X.X.X.X # CHANGEME
20 | SCREEN_NAME=iLO4fansession
21 | SSH_USER=Administrator # You should set up a different user in iLO, no extra permissions are needed for the user.
22 | SSH_KEY=~/.ssh/foo # Set to the location of the SSH key for the above user.
23 | 
24 | IP=${IP} screen -dmS $SCREEN_NAME
25 | 
26 | echo -e "Establishing SSH session inside screen."
27 | 
28 | while [ true ]
29 | do
30 | 	echo -e "Checking if ${IP} is up."
31 | 	ping -q -c 1 ${IP} &>/dev/null
32 | 	if [ $? -ne 0 ]; then
33 | 		echo "iLO is not responding. Reattempting in 30 seconds.";
34 | 	else
35 | 		break
36 | 	fi
37 | 	sleep 30
38 | done
39 | 
40 | screen -S $SCREEN_NAME -X stuff "ssh -i ${SSH_KEY} -t  ${SSH_USER}@${IP} -p 2222 -o PubKeyAcceptedKeyTypes=+ssh-rsa -o HostKeyAlgorithms=+ssh-dss -o KexAlgorithms=+diffie-hellman-group14-sha1 -o LocalCommand='fan info'"`echo -ne '\015'`
41 | 
42 | echo -e "Sleeping for 5 seconds."
43 | 
44 | sleep 5
45 | 
46 | echo -e "Resuming fan commands."
47 | 
48 | # `echo -ne '\015'` emulates pressing the Enter key.
49 | 
50 | # Set fan minimums.
51 | screen -S $SCREEN_NAME -X stuff 'fan p 0 min 25'`echo -ne '\015'`
52 | screen -S $SCREEN_NAME -X stuff 'fan p 1 min 25'`echo -ne '\015'`
53 | screen -S $SCREEN_NAME -X stuff 'fan p 2 min 25'`echo -ne '\015'`
54 | screen -S $SCREEN_NAME -X stuff 'fan p 3 min 25'`echo -ne '\015'`
55 | 
56 | 
57 | # Ignore HD sensors due to non-HP branded HDDs.
58 | screen -S $SCREEN_NAME -X stuff 'fan t 3 off'`echo -ne '\015'`
59 | screen -S $SCREEN_NAME -X stuff 'fan t 19 off'`echo -ne '\015'`
60 | screen -S $SCREEN_NAME -X stuff 'fan t 20 off'`echo -ne '\015'`
61 | 
62 | # Increase setpoint of PCIe sensors, otherwise fans will be minimum 30%.
63 | # 5500 sets a target of 55C after which the fans start ramping up.
64 | screen -S $SCREEN_NAME -X stuff 'fan pid 23 sp 5500'`echo -ne '\015'`
65 | screen -S $SCREEN_NAME -X stuff 'fan pid 25 sp 5500'`echo -ne '\015'`
66 | screen -S $SCREEN_NAME -X stuff 'fan pid 26 sp 5500'`echo -ne '\015'`
67 | 


--------------------------------------------------------------------------------
/scripts/kg-silence-dl380eG8.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | #
 3 | # This file is part of the ilo4_unlock (https://github.com/kendallgoto/ilo4_unlock/).
 4 | # Copyright (c) 2022 Kendall Goto.
 5 | #
 6 | # This program is free software: you can redistribute it and/or modify
 7 | # it under the terms of the GNU General Public License as published by
 8 | # the Free Software Foundation, version 3.
 9 | #
10 | # This program is distributed in the hope that it will be useful, but
11 | # WITHOUT ANY WARRANTY; without even the implied warranty of
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 | # General Public License for more details.
14 | #
15 | # You should have received a copy of the GNU General Public License
16 | # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 | 
18 | 
19 | # NOTE: this is just what I use on my system! I DON'T suggest these fan curves
20 | # since they are aggressive and unsafe. I play loose since I'm lazy. Here's some setup notes:
21 | # I write iLO directly to this system, running in a CentOS ESXI VM on my server
22 | # I have this script loaded at boot with crontab @reboot
23 | # I have a dnsmasq server on here to serve DHCP to the iLO on a private subnet (10.0.99.0)
24 | # I have the iLO's password saved in /root/passwordfile and load it with sshpass
25 | # I would rather do this via SSH keys, but I couldn't be bothered to get them working on the iLO.
26 | 
27 | # This setup is tuned for my DL380e Gen8 LFF server.
28 | IP=10.0.99.50
29 | PASSWD="/root/passwordfile"
30 | 
31 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan info'
32 | 
33 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan t 50 off'
34 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan t 51 off'
35 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan t 52 off'
36 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan t 53 off'
37 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan t 54 off'
38 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan t 55 off'
39 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan t 56 off'
40 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan t 57 off'
41 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan t 34 off'
42 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan t 35 off'
43 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan t 36 off'
44 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan t 37 off'
45 | 
46 | #fix minimums
47 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan t 00 set 5'
48 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan p 0 min 50'
49 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan p 1 min 50'
50 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan p 2 min 50'
51 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan p 3 min 65'
52 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan p 4 min 65'
53 | sshpass -f "$PASSWD" ssh Administrator@${IP} 'fan p 5 min 65'
54 | 


--------------------------------------------------------------------------------
/scripts/kg-silence-dl380pG8.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | #
 3 | # This file is part of the ilo4_unlock (https://github.com/kendallgoto/ilo4_unlock/).
 4 | # Copyright (c) 2022 Kendall Goto.
 5 | #
 6 | # This program is free software: you can redistribute it and/or modify
 7 | # it under the terms of the GNU General Public License as published by
 8 | # the Free Software Foundation, version 3.
 9 | #
10 | # This program is distributed in the hope that it will be useful, but
11 | # WITHOUT ANY WARRANTY; without even the implied warranty of
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 | # General Public License for more details.
14 | #
15 | # You should have received a copy of the GNU General Public License
16 | # along with this program. If not, see <http://www.gnu.org/licenses/>.
17 | 
18 | 
19 | # NOTE: this is just what I use on my system! I DON'T suggest these fan curves
20 | # since they are aggressive and unsafe. I play loose since I'm lazy. Here's some setup notes:
21 | # I write iLO directly to this system, running in a CentOS ESXI VM on my server
22 | # I have this script loaded at boot with crontab @reboot
23 | # I have a dnsmasq server on here to serve DHCP to the iLO on a private subnet (10.0.99.0)
24 | # I have the iLO's password saved in /root/passwordfile and load it with sshpass
25 | # I would rather do this via SSH keys, but I couldn't be bothered to get them working on the iLO.
26 | 
27 | # This setup is tuned for my DL380p Gen8 SFF server.
28 | IP=10.0.99.50
29 | PASSWD="/root/passwordfile"
30 | OPT="-oHostKeyAlgorithms=+ssh-dss -oKexAlgorithms=+diffie-hellman-group14-sha1"
31 | 
32 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan info'
33 | 
34 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan t 37 off'
35 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan t 35 off'
36 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan t 60 off'
37 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan t 56 off'
38 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan t 57 off'
39 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan t 61 off'
40 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan t 47 off'
41 | 
42 | #fix minimums
43 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan t 00 set 5'
44 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan p 0 min 50'
45 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan p 1 min 50'
46 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan p 2 min 50'
47 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan p 3 min 65'
48 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan p 4 min 65'
49 | sshpass -f "$PASSWD" ssh ${OPT} Administrator@${IP} 'fan p 5 min 65'
50 | 


--------------------------------------------------------------------------------
/scripts/quietFansDL380G9.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Used to solve the "Max fans because we decided to use a graphics card" bug. 
 4 | # Seems that just restarting using these commands is enough to return the fan behavior to normal. 
 5 | # Tested on DL380 Gen9
 6 | 
 7 | # Replace these values with those relevant to your iLO. Alternatively,
 8 | # consider defining them with environment variables.
 9 | 
10 | IP=192.168.86.48
11 | USER='Administrator'
12 | PWD='pass'
13 | 
14 | sshpass -p $PWD ssh -oKexAlgorithms=+diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 -oHostKeyAlgorithms=ssh-rsa,ssh-dss $USER@$IP 'fan g stop'
15 | sshpass -p $PWD ssh -oKexAlgorithms=+diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 -oHostKeyAlgorithms=ssh-rsa,ssh-dss $USER@$IP 'fan g start'
16 | 
17 | 
18 | # The script can be triggered on startup with a crontab.
19 | 


--------------------------------------------------------------------------------
/scripts/readme.md:
--------------------------------------------------------------------------------
1 | # Scripts
2 | 
3 | Just as a base reference to how to use some of this work, I've uploaded my fan control boot scripts here. **I do not suggest them to be used** but they provide good context for how you can automate controlling the fans.
4 | 
5 | If you have a good script that you found useful utilizing the patched firmware, please let me know / make a PR and I'd love to include it.
6 | 


--------------------------------------------------------------------------------
/scripts/tty13-fanctrl.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | 
 4 | # This was made using bits of ja-silence-dl20G9.sh code and inspired by other bits here and there.
 5 | # At first, I heavily modified cf-dynamic-fans to match my setup and include a logarithmic curve for the fans,
 6 | # it worked great, but the issue was that I did not trust relying on a bash script to control the maximum fan speed.
 7 | # Relying on such a high-level utility to control something as important as the temperature seemed a bit dangerous.
 8 | # So I looked at the fan info, read a bit and started to understand what was faulty in HPE's algorithms.
 9 | # I ended up with what I believe to be a "safe" solution for my setup, since it does not modify any fan maximum
10 | # and more importantly, does not rely on any high-level running process
11 | # As a result, the fans can and will ramp up according to the readings, which are not modified
12 | # I only lower the minimum limit and increase some faulty (I believe) low setpoints
13 | 
14 | 
15 | 
16 | ### CONFIG GOES HERE
17 | IP=192.168.1.120
18 | SCREEN_NAME=iLO4fansession
19 | SSH_USER=fanctrl # You should set up a different user than Administrator in iLO, no extra permissions are needed for the user.
20 | SSH_KEY=/etc/ssh/id_fanctrl # Set to the location of the SSH key for the above user.
21 | 
22 | PID_NUMBER=52  # Set here the number of PIDs that fan info reports in the algorithms table.
23 | MIN_SPEED=2550 # Set the minimum speed the fans can run at (format is XX.XX°C = XXXX)
24 | ### END CONFIG
25 | 
26 | 
27 | # To prevent bash from complaining about the locale in some cases where numeric locale uses a comma
28 | export LC_NUMERIC="C"
29 | 
30 | # Check if iLO IP is up
31 | while :; do
32 |     echo -e "Checking if ${IP} is up."
33 |     ping -q -c 1 ${IP} &>/dev/null
34 |     if [ $? -ne 0 ]; then
35 |             echo "iLO is not responding. Reattempting in 30 seconds.";
36 |     else
37 |             break
38 |     fi
39 |     sleep 30
40 | done
41 | 
42 | 
43 | # Initiate iLO session :
44 | if ! screen -list | grep -q "$SCREEN_NAME"; then
45 |         IP=${IP} screen -dmS $SCREEN_NAME
46 |         echo -e "Establishing SSH session inside screen."
47 | 
48 | 
49 |         screen -S $SCREEN_NAME -X stuff "ssh -i ${SSH_KEY} -t  ${SSH_USER}@${IP} -o PubKeyAcceptedKeyTypes=+ssh-rsa -o HostKeyAlgorithms=+ssh-dss -o KexAlgorithms=+diffie-hellman-group14-sha1 -o LocalCommand='fan info'"`echo -ne '\015'`
50 |         # `echo -ne '\015'` emulates pressing the Enter key.
51 | 
52 |         # Wait
53 |         echo -e "Sleeping for 5 seconds."
54 |         sleep 5
55 |         # Stop waiting :o)
56 |         echo -e "Resuming fan commands."
57 | else
58 |         echo "Found screen session $SCREEN_NAME"
59 | fi
60 | 
61 | # Set minimum speed for the fans
62 | for ((i=1;i<=PID_NUMBER;i++)); do
63 |         screen -S $SCREEN_NAME -X stuff "fan pid $i lo $MIN_SPEED"`echo -ne '\015'`
64 |         sleep .2
65 |         # Sleep for 200ms, because iLO is slow and sometimes skips commands
66 | done
67 | 
68 | MIN_SPEED_ADJ=$(printf "%.1f\n" $(echo "$MIN_SPEED/100" | bc -l))
69 | for ((i=0;i<=7;i++)); do
70 |         screen -S $SCREEN_NAME -X stuff "fan p $i min $MIN_SPEED_ADJ"`echo -ne '\015'`
71 |         sleep .2
72 | done
73 | 
74 | REAL_SPEED=$(printf "%.1f\n" $(echo "($MIN_SPEED/25500)*100" | bc -l))
75 | echo -e "Minimum fan speed set to $REAL_SPEED%"
76 | 
77 | # Set here the correction for faulty PID temperatures which cause the fans to start ramping up too soon
78 | # For me, the setpoint for PID 50 (whatever that is) was 36°C ! And the setpoint for pid 35 (PCI-2 Zone) was 40°C
79 | # To keep things safe, take notice of the Caution and Critical temperatures in fan info.
80 | # You might want to ignore some faulty readings too if you have non-HP stuff, I don't know much about that, my setup is pretty stock.
81 | # (proprietary software/hardware sucks)
82 | 
83 | screen -S $SCREEN_NAME -X stuff "fan pid 50 sp 5500"`echo -ne '\015'` # No Caut nor Crit info, but I guess 55°C is fine
84 | sleep .2
85 | screen -S $SCREEN_NAME -X stuff "fan pid 35 sp 5200"`echo -ne '\015'` # Caut was 65°C and Crit was 70°C
86 | echo -e "Corrected faulty setpoints"
87 | 


--------------------------------------------------------------------------------
/util/asm/fan_research.S:
--------------------------------------------------------------------------------
 1 | h:
 2 | 	MOV		r0, #5		; entrypoint for health (call switch #5)
 3 | 	B		start
 4 | 
 5 | fan:
 6 | 	MOV		r0, #6		; entrypoint for fan (call switch #6)
 7 | 	B		start
 8 | 
 9 | ocsd:
10 | 	MOV		r0, #7		; entrypoint for ocsd (call switch #7)
11 | 	B		start
12 | 
13 | ocbb:
14 | 	MOV		r0, #8		; entrypoint for ocbb (call switch #8)
15 | 
16 | start:
17 | 	MOV		R12, SP				; Initialize
18 | 	PUSH	{R10, R11, R12, LR, PC}
19 | 	SUB		R11, R12, #4
20 | 	SUB		SP, SP, #0xA00		; Allocate space on stack for IPC struct
21 | 	STR		R0, [SP]			; Store R0 as first value in struct (switch value)
22 | 	MOV		R3, #0				; Init R3 to zero
23 | 	ADD		R2, SP, #4			; Move R2 to write at 0x4 in IPC struct
24 | 	ADD		R0, R7, #0x1000		; Move R0 to start of input arg
25 | loop:							; Parse string char-by-char
26 | 	LDRB	R1, [R0], #1		; Load char from string; R0++ (0x1000+i)
27 | 	CMP		R1, #0x20			; if loaded == ' '
28 | 	STRBEQ	R3, [R2],#1			;	then store \0 into R2, R2++
29 | 	STRBNE	R1, [R2],#1			;	else store char in R2, r2++
30 | 	CMP		R1, #0				; if char != \0
31 | 	BNE		loop				; 	then loop
32 | 	STRB	R3, [R2]			; store final \0 onto R2
33 | 	MOV		R0, SP				; Setup call
34 | 	ADD		R1, SP, #0x500		; Setup call
35 | 	BL		dump_reg			; dump registers
36 | 	LDR		R0, [SP,#0x500]		; load yielded value to R0
37 | 	LDMDB	R11, {R10, R11,SP,PC}	; exit
38 | 
39 | dump_reg:
40 | 	LDR		R10, dump_reg_fn
41 | 	BX		R10
42 | dump_reg_fn:
43 | 	.word 0xed290
44 | 


--------------------------------------------------------------------------------
/util/asm/test.S:
--------------------------------------------------------------------------------
1 | _start:
2 | 	LDR		R10, DateFn
3 | 	BX		R10
4 | 
5 | DateFn:
6 | 	.word 0x19DB4
7 | 


--------------------------------------------------------------------------------
/util/common.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #
 3 | # This file is part of ilo4_unlock (https://github.com/kendallgoto/ilo4_unlock/).
 4 | # Copyright (c) 2022 Kendall Goto
 5 | # with some code derived from https://github.com/airbus-seclab/ilo4_toolbox
 6 | #
 7 | # This program is free software: you can redistribute it and/or modify
 8 | # it under the terms of the GNU General Public License as published by
 9 | # the Free Software Foundation, version 3.
10 | #
11 | # This program is distributed in the hope that it will be useful, but
12 | # WITHOUT ANY WARRANTY; without even the implied warranty of
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 | # General Public License for more details.
15 | #
16 | # You should have received a copy of the GNU General Public License
17 | # along with this program. If not, see <http://www.gnu.org/licenses/>.
18 | import os
19 | from keystone import *
20 | import sys
21 | 
22 | def read_patch(file):
23 |     with open(file, "rb") as f:
24 |         handler = f.read()
25 |         # remove comments ...
26 |         handler_split = handler.split('\n')
27 |         for i in range(len(handler_split)):
28 |             this_line = handler_split[i]
29 |             this_line = this_line.split(";")[0]
30 |             handler_split[i] = this_line
31 |         handler = "\n".join(handler_split)
32 |         # print handler
33 |         ks = Ks(KS_ARCH_ARM, KS_MODE_ARM)
34 |         try:
35 |             output = ks.asm(handler)
36 |         except KsError as e:
37 |             print "Error with Keystone ", e.message
38 |             if e.get_asm_count() is not None:
39 |                 print "asmcount = %u" % e.get_asm_count()
40 |             sys.exit(1)
41 |         return ''.join(chr(x) for x in output[0])
42 | def hexdump(src, length=16):
43 |     FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)])
44 |     lines = []
45 |     for c in xrange(0, len(src), length):
46 |         chars = src[c:c+length]
47 |         hex = ' '.join(["%02x" % ord(x) for x in chars])
48 |         printable = ''.join(["%s" % ((ord(x) <= 127 and FILTER[ord(x)]) or '.') for x in chars])
49 |         lines.append("%04x  %-*s  %s\n" % (c, length*3, hex, printable))
50 |     return ''.join(lines)
51 | 


--------------------------------------------------------------------------------
/util/gcc/.gitignore:
--------------------------------------------------------------------------------
1 | *.bin
2 | *.o
3 | *.o.d
4 | 


--------------------------------------------------------------------------------
/util/gcc/Makefile:
--------------------------------------------------------------------------------
 1 | # This file is part of ilo4_unlock (https://github.com/kendallgoto/ilo4_unlock/).
 2 | # Derived from Airbus Security Lab @  https://github.com/airbus-seclab/ilo4_toolbox
 3 | #
 4 | # This program is free software: you can redistribute it and/or modify
 5 | # it under the terms of the GNU General Public License as published by
 6 | # the Free Software Foundation, version 3.
 7 | #
 8 | # This program is distributed in the hope that it will be useful, but
 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of
10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
11 | # General Public License for more details.
12 | #
13 | # You should have received a copy of the GNU General Public License
14 | # along with this program. If not, see <http://www.gnu.org/licenses/>.
15 | 
16 | VERSION ?= 277
17 | 
18 | ARM_OBJDUMP ?= arm-none-eabi-objdump
19 | ARM_GCC ?= arm-none-eabi-gcc
20 | HPILO_VER := $(shell printf "0x%d" $(VERSION))
21 | CPPFLAGS += -DHPILO_VER=$(HPILO_VER)
22 | WARNINGS := -Wall -Wextra
23 | WARNINGS += -Wno-unused-parameter
24 | WARNINGS += -Wno-unused-variable
25 | WARNINGS += -Wno-unused-function
26 | WARNINGS += -Werror
27 | 
28 | all: main.bin
29 | 
30 | clean:
31 | 	$(RM) ./*.bin ./*.o ./.*.d
32 | 
33 | main.bin: main.linked.o
34 | 	if $(ARM_OBJDUMP) -r $< | grep -i shcode ; then \
35 | 		echo "Fatal error: relocations exist!" ; \
36 | 		$(ARM_OBJDUMP) -r $< ; \
37 | 		false ; \
38 | 	fi
39 | 	arm-none-eabi-objcopy -j .shcode -O binary $< $@
40 | 	chmod -x $@
41 | 	stat -c '%s %n' $@
42 | 
43 | main.linked.o: main.o
44 | 	@
45 | 	arm-none-eabi-ld -nostdlib -O1 -T main.lds -shared -Bsymbolic -as-needed -no-undefined -warn-common -fatal-warnings $^ -o $@
46 | 
47 | main.o: main.c
48 | 	$(ARM_GCC) $(WARNINGS) $(CPPFLAGS) -Wp,-MT,$@ -Wp,-MD,$(dir $@).$(notdir $@).d \
49 | 		-O2 -c -fPIC -nostdlib -ffreestanding -mpic-register=r4 $< -o $@
50 | 
51 | -include .*.d
52 | 
53 | dump: main.bin
54 | 	$(ARM_OBJDUMP) -D -bbinary -marm $<
55 | 
56 | .PHONY: all clean dump dumplinked dumplinkedd
57 | .PRECIOUS: main.linked.o main.o
58 | 


--------------------------------------------------------------------------------
/util/gcc/ilo.h:
--------------------------------------------------------------------------------
 1 | /*
 2 | # This file is part of ilo4_unlock (https://github.com/kendallgoto/ilo4_unlock/).
 3 | # Derived from Airbus Security Lab @  https://github.com/airbus-seclab/ilo4_toolbox
 4 | #
 5 | # This program is free software: you can redistribute it and/or modify
 6 | # it under the terms of the GNU General Public License as published by
 7 | # the Free Software Foundation, version 3.
 8 | #
 9 | # This program is distributed in the hope that it will be useful, but
10 | # WITHOUT ANY WARRANTY; without even the implied warranty of
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | # General Public License for more details.
13 | #
14 | # You should have received a copy of the GNU General Public License
15 | # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 | */
17 | #pragma once
18 | 
19 | typedef unsigned char u8, uint8_t, bool;
20 | typedef unsigned short u16, uint16_t;
21 | typedef unsigned int u32, uint32_t, mode_t, off_t, size_t;
22 | typedef unsigned long long u64, uint64_t;
23 | typedef int ssize_t;
24 | 
25 | typedef uint32_t dev_t, ino_t, nlink_t, uid_t, gid_t, dev_t, blksize_t, blkcnt_t, time_t;
26 | 
27 | #define false (0U)
28 | #define true (1U)
29 | 
30 | /* From Linux:include/stddef.h */
31 | #define offsetof(TYPE, MEMBER) ((size_t)&((TYPE *)0)->MEMBER)
32 | 
33 | #define STATIC_ASSERT(cond) _Static_assert(cond, #cond)
34 | STATIC_ASSERT(sizeof(uint8_t) == 1);
35 | STATIC_ASSERT(sizeof(uint16_t) == 2);
36 | STATIC_ASSERT(sizeof(uint32_t) == 4);
37 | STATIC_ASSERT(sizeof(uint64_t) == 8);
38 | 
39 | typedef struct DIR_s {
40 |     u32 unknown;
41 | } DIR;
42 | enum {
43 |     DT_UNKNOWN = 0,
44 |     DT_FIFO = 1,
45 |     DT_CHR = 2,
46 |     DT_DIR = 4,
47 |     DT_BLK = 6,
48 |     DT_REG = 8,
49 |     DT_LNK = 10,
50 |     DT_SOCK = 12,
51 | };
52 | struct dirent {
53 |     uint32_t d_ino; /* Inode number (2 for /, 3 for /mnt, 4 for /tmp) */
54 |     uint16_t d_reclen; /* Size of the record in the directory inode */
55 |     uint8_t d_type; /* DT_... */
56 |     uint8_t d_namelen; /* Length of name */
57 |     char d_name[256];
58 | };
59 | struct ipc {
60 |     uint32_t call;
61 |     char params[256];
62 | };
63 | STATIC_ASSERT(offsetof(struct ipc, call) == 0x0);
64 | STATIC_ASSERT(offsetof(struct ipc, params) == 0x4);
65 | 
66 | struct timespec {
67 |     time_t tv_sec;
68 |     long tv_nsec;
69 | };
70 | struct stat {
71 |     dev_t     st_dev;         /* ID of device containing file */
72 |     ino_t     st_ino;         /* Inode number */
73 |     mode_t    st_mode;        /* File type and mode */
74 |     nlink_t   st_nlink;       /* Number of hard links */
75 |     uid_t     st_uid;         /* User ID of owner */
76 |     gid_t     st_gid;         /* Group ID of owner */
77 |     dev_t     st_rdev;        /* Device ID (if special file) */
78 |     off_t     st_size;        /* Total size, in bytes */
79 |     blksize_t st_blksize;     /* Block size for filesystem I/O */
80 |     blkcnt_t  st_blocks;      /* Number of 512B blocks allocated */
81 | 
82 |     struct timespec st_atim;  /* Time of last access */
83 |     struct timespec st_mtim;  /* Time of last modification */
84 |     struct timespec st_ctim;  /* Time of last status change */
85 | };
86 | 
87 | #define errno (*(int *)get_errno_ptr())
88 | 
89 | #if HPILO_VER == 0x277
90 | #include "ilo_277.h"
91 | #else
92 | #error Unknown iLO Version
93 | #endif
94 | 


--------------------------------------------------------------------------------
/util/gcc/ilo_277.h:
--------------------------------------------------------------------------------
 1 | /*
 2 | # This file is part of ilo4_unlock (https://github.com/kendallgoto/ilo4_unlock/).
 3 | # Derived from Airbus Security Lab @  https://github.com/airbus-seclab/ilo4_toolbox
 4 | #
 5 | # This program is free software: you can redistribute it and/or modify
 6 | # it under the terms of the GNU General Public License as published by
 7 | # the Free Software Foundation, version 3.
 8 | #
 9 | # This program is distributed in the hope that it will be useful, but
10 | # WITHOUT ANY WARRANTY; without even the implied warranty of
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 | # General Public License for more details.
13 | #
14 | # You should have received a copy of the GNU General Public License
15 | # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 | */
17 | 
18 | #include "ilo.h"
19 | 
20 | struct CLI_SESSION {
21 |     u8 pad1[0x164];
22 |     char argv[16][256]; /* 16 256-char-wide command arguments */
23 |     u32 argc;
24 | 	u8 pad2[0x204];
25 | 	char argstr[256];
26 | };
27 | /* ensure we've got our padding correct */
28 | STATIC_ASSERT(offsetof(struct CLI_SESSION, argv) == 0x164);
29 | STATIC_ASSERT(offsetof(struct CLI_SESSION, argc) == 0x1164);
30 | STATIC_ASSERT(offsetof(struct CLI_SESSION, argstr) == 0x136C);
31 | 
32 | /* ConAppCLI */
33 | static int (__attribute__((format(printf, 2, 3))) *CLI_printf)(u32 cli_id, const char *fmt, ...) = (const void *)0x12F68;
34 | static struct CLI_SESSION *(*ConAppCLI_get_CLI_session_ptr)(u32 cli_id) = (const void *)0x21F9C;
35 | static int (*ConAppCLI_call_Health)(struct ipc *ref, uint32_t *result) = (const void *)0x5B57C;
36 | static int (*ConAppCLI_getFnIndex)(char *command) = (const void *)0x1832C;
37 | static int (*ConAppCLI_strcasecmp)(char *str1, char *str2) = (const void *)0x7F434;
38 | 
39 | /* libc.so */
40 | static void *(*malloc)(size_t size) = (const void *)0x017B85E8;
41 | static void (*free)(void *ptr) = (const void *)0x017B86F4;
42 | static size_t (*strlen)(const char *str) = (const void *)0x017B2800;
43 | 
44 | static DIR *(*opendir)(const char *path) = (const void *)0x017A0CB4;
45 | static void (*closedir)(DIR *dir) = (const void *)0x017A0D70;
46 | static int (*readdir_r)(DIR *dir, struct dirent *entry, struct dirent **result) = (const void *)0x017A0DB4;
47 | 
48 | static int (*lstat)(const char *pathname, struct stat *statbuf) = (const void *)0x017AC75C;
49 | static int (*ioctl)(int fd, unsigned long request, ...) = (const void *)0x017AD820;
50 | static int (*open)(const char *pathname, int flags, mode_t mode) = (const void *)0x017AE89C;
51 | static ssize_t (*write)(int fd, const void *buf, size_t count) = (const void *)0x017AE9D8;
52 | static ssize_t (*read)(int fd, void *buf, size_t count) = (const void *)0x017AEABC;
53 | static int (*close)(int fd) = (const void *)0x017AEC80;
54 | static off_t (*lseek)(int fd, off_t offset, int whence) = (const void *)0x017AED24;
55 | 
56 | static int *(*get_errno_ptr)(void) = (const void *)0x017A25A0;
57 | 
58 | static int (__attribute__((format(printf, 3, 4))) *snprintf)(char *str, size_t size, const char *format, ...) = (const void *)0x017B3FE0;
59 | 
60 | static int (*libc_RequestResource)(u32 *pRes, const char *szResName, const char *szSystemPassword) = (const void *)0x017A3948;
61 | 
62 | static int (*AllocateAnyMemoryRegion)(u32 pool, u32 size, u32 *dwMemRegion) = (const void *)0x017A1DB4;
63 | 
64 | /* libINTEGRITY.so */
65 | static int (*INTEGRITY_CloseConnection)(u32 dwMemIndex) = (const void *)0x017808FC;
66 | static int (*INTEGRITY_MapMemoryRegion)(u32 dwMemIndex, u32 dwMemoryRegion) = (const void *)0x017809AC;
67 | static int (*INTEGRITY_UnMapMemoryRegion)(u32 dwMemIndex, u32 *pResult) = (const void *)0x017826D4;
68 | static int (*INTEGRITY_SetMemoryRegionAttributes)(u32 dwMemoryRegion, u32 dwFlags) = (const void *)0x01782734;
69 | static int (*INTEGRITY_CopyToMemoryRegion)(u32 physMR, u32 physaddr, const void *pInput, size_t ccbInput, u32 unknown_2832) = (const void *)0x1782818;
70 | static int (*INTEGRITY_CopyFromMemoryRegion)(u32 dwPhysMemoryRegion, u32 dwPhysAddr, void *pOutput, u32 dwOutLen, u32 unknown_2049) = (const void *)0x0178284C;
71 | static int (*INTEGRITY_GetMemoryRegionAttributes)(u32 dwMemoryRegion, u32 *pdwFlags) =(const void *) 0x01782964;
72 | static int (*INTEGRITY_GetMemoryRegionAddress)(u32 dwMemIndex, u32 *pVirtAddrStart, u32 *pVirtAddrEnd) = (const void *)0x017829A0;
73 | 


--------------------------------------------------------------------------------
/util/gcc/main.c:
--------------------------------------------------------------------------------
  1 | /*
  2 | # This file is part of ilo4_unlock (https://github.com/kendallgoto/ilo4_unlock/).
  3 | # Copyright (c) 2022 Kendall Goto
  4 | # with some code derived from https://github.com/airbus-seclab/ilo4_toolbox
  5 | #
  6 | # This program is free software: you can redistribute it and/or modify
  7 | # it under the terms of the GNU General Public License as published by
  8 | # the Free Software Foundation, version 3.
  9 | #
 10 | # This program is distributed in the hope that it will be useful, but
 11 | # WITHOUT ANY WARRANTY; without even the implied warranty of
 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 13 | # General Public License for more details.
 14 | #
 15 | # You should have received a copy of the GNU General Public License
 16 | # along with this program. If not, see <http://www.gnu.org/licenses/>.
 17 | */
 18 | 
 19 | #include "ilo.h"
 20 | __asm__ (
 21 | "	.section .entry, \"ax\", %progbits\n"
 22 | "	.arm\n"
 23 | "	.globl _entrypoint\n"
 24 | "	.hidden _entrypoint\n"
 25 | "	.type _entrypoint, %function\n"
 26 | "_entrypoint:\n"
 27 | "	b payload_start\n"
 28 | );
 29 | /*
 30 | void dump_registers(u32 cli_id) {
 31 | 	//struct CLI_SESSION *pCli;
 32 | 
 33 | 	//pCli = ConAppCLI_get_CLI_session_ptr(cli_id);
 34 | 
 35 | 	uint32_t r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10;
 36 | 	asm (
 37 | 		"STR %%r0, %[a0] ;"
 38 | 		"STR %%r1, %[a1] ;"
 39 | 		"STR %%r2, %[a2] ;"
 40 | 		"STR %%r3, %[a3] ;"
 41 | 		"STR %%r4, %[a4] ;"
 42 | 		"STR %%r5, %[a5] ;"
 43 | 		"STR %%r6, %[a6] ;"
 44 | 		"STR %%r7, %[a7] ;"
 45 | 		"STR %%r8, %[a7] ;"
 46 | 		"STR %%r9, %[a7] ;"
 47 | 		"STR %%r10, %[a10] ;"
 48 | 		:
 49 | 		[a0] "=m" (r0), [a1] "=m" (r1), [a2] "=m" (r2), [a3] "=m" (r3),
 50 | 		[a4] "=m" (r4), [a5] "=m" (r5), [a6] "=m" (r6), [a7] "=m" (r7),
 51 | 		[a8] "=m" (r8), [a9] "=m" (r9), [a10] "=m" (r10)
 52 | 	);
 53 | 	CLI_printf(cli_id, "r0=%08x\n", r0);
 54 | 	CLI_printf(cli_id, "r1=%08x\n", r1);
 55 | 	CLI_printf(cli_id, "r2=%08x\n", r2);
 56 | 	CLI_printf(cli_id, "r3=%08x\n", r3);
 57 | 	CLI_printf(cli_id, "r4=%08x\n", r4);
 58 | 	CLI_printf(cli_id, "r5=%08x\n", r5);
 59 | 	CLI_printf(cli_id, "r6=%08x\n", r6);
 60 | 	CLI_printf(cli_id, "r7=%08x\n", r7);
 61 | 	CLI_printf(cli_id, "r8=%08x\n", r8);
 62 | 	CLI_printf(cli_id, "r9=%08x\n", r9);
 63 | 	CLI_printf(cli_id, "r10=%08x\n", r10);
 64 | }
 65 | */
 66 | void dump_vmemory(u32 cli_id, uint32_t startAddr, uint32_t len) {
 67 | 	uint32_t i;
 68 | 	char buff[17];
 69 | 	char *pc = (char *)startAddr;
 70 | 	for(i = 0; i < len; i++) {
 71 | 		if((i % 16) == 0) {
 72 | 			if(i != 0)
 73 | 				CLI_printf(cli_id, "\t%s\n", buff);
 74 | 			CLI_printf(cli_id, "%04x\t%04x ", i, i+startAddr);
 75 | 		}
 76 | 
 77 | 		CLI_printf(cli_id, " %02x", pc[i]);
 78 | 
 79 | 		if((pc[i] < 0x20) || (pc[i] > 0x7e)) {
 80 | 			buff[i % 16] = '.';
 81 | 		} else {
 82 | 			buff[i % 16] = pc[i];
 83 | 		}
 84 | 		buff[(i % 16) + 1] = '\0';
 85 | 	}
 86 | 	while((i%16) != 0) {
 87 | 		CLI_printf(cli_id, "\t");
 88 | 		i++;
 89 | 	}
 90 | 	CLI_printf(cli_id, "\t%s\n\n\n", buff);
 91 | }
 92 | 
 93 | void health_handler(u32 cli_id) {
 94 | 	struct CLI_SESSION *pCli;
 95 | 	pCli = ConAppCLI_get_CLI_session_ptr(cli_id);
 96 | 	CLI_printf(cli_id, "%s", pCli->argstr);
 97 | 	char *args = pCli->argstr;
 98 | 	struct ipc testFan;
 99 | 	uint32_t mode;
100 | 	uint32_t base = strlen(pCli->argv[0]) + 1;
101 | 	if(ConAppCLI_strcasecmp(pCli->argv[1], "h") == 0) {
102 | 		mode = 5;
103 | 	} else if(ConAppCLI_strcasecmp(pCli->argv[1], "fan") == 0){
104 | 		mode = 6;
105 | 	} else if(ConAppCLI_strcasecmp(pCli->argv[1], "ocsd") == 0) {
106 | 		mode = 7;
107 | 	} else if((ConAppCLI_strcasecmp(pCli->argv[1], "ocbb") == 0)) {
108 | 		mode = 8;
109 | 	} else {
110 | 		CLI_printf(cli_id, "must call fan/ocsd/ocbb/h\n");
111 | 		return;
112 | 	}
113 | 	testFan.call = mode;
114 | 	for(int i = 0; i < 255; i++) {
115 | 		char thisChar = args[i+base];
116 | 		if(thisChar == ' ') {
117 | 			testFan.params[i] = '\0';
118 | 		}
119 | 		else if(thisChar == '\0') {
120 | 			testFan.params[i] = '\0';
121 | 			break;
122 | 		} else {
123 | 			testFan.params[i] = thisChar;
124 | 		}
125 | 	}
126 | 	dump_vmemory(cli_id, (int)&testFan, sizeof(testFan));
127 | 
128 | 	uint32_t *result = malloc(0x500);
129 | 	uint32_t rescode = ConAppCLI_call_Health(&testFan, result);
130 | 	CLI_printf(cli_id, "Done, result %d\n", rescode);
131 | 	dump_vmemory(cli_id, (uint32_t)result, 0x500);
132 | 	free(result);
133 | 
134 | }
135 | 
136 | static __attribute__((used))
137 | void payload_start(u32 cli_id) {
138 | 	health_handler(cli_id);
139 | }
140 | 


--------------------------------------------------------------------------------
/util/gcc/main.lds:
--------------------------------------------------------------------------------
 1 | OUTPUT_FORMAT("elf32-littlearm")
 2 | ENTRY(_entrypoint)
 3 | 
 4 | SECTIONS
 5 | {
 6 |     . = 0;
 7 |     .shcode : {
 8 |         *(.entry)
 9 |         . = ALIGN(4);
10 |         *(.text)
11 |         . = ALIGN(4);
12 |         *(.data .data.*)
13 |         . = ALIGN(4);
14 |         *(.rodata *.rodata.*)
15 |     }
16 | }
17 | 


--------------------------------------------------------------------------------
/util/patch.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #
 3 | # This file is part of ilo4_unlock (https://github.com/kendallgoto/ilo4_unlock/).
 4 | # Copyright (c) 2022 Kendall Goto
 5 | # with some code derived from https://github.com/airbus-seclab/ilo4_toolbox
 6 | #
 7 | # This program is free software: you can redistribute it and/or modify
 8 | # it under the terms of the GNU General Public License as published by
 9 | # the Free Software Foundation, version 3.
10 | #
11 | # This program is distributed in the hope that it will be useful, but
12 | # WITHOUT ANY WARRANTY; without even the implied warranty of
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 | # General Public License for more details.
15 | #
16 | # You should have received a copy of the GNU General Public License
17 | # along with this program. If not, see <http://www.gnu.org/licenses/>.
18 | 
19 | import sys
20 | import json
21 | import imp
22 | import os
23 | from keystone import *
24 | from common import *
25 | 
26 | if len(sys.argv) < 4:
27 |     print "usage: %s <input-file.bin> <patch-file.json> <result-file.bin.patched>" % sys.argv[0]
28 |     sys.exit(1)
29 | 
30 | with open(sys.argv[1], "rb") as f:
31 |     data = f.read()
32 | 
33 | with open(sys.argv[2], "rb") as f:
34 |     patches = json.load(f)
35 | 
36 | for patch in patches:
37 |     print "Applying patch, \"%s\"" % patch["remark"]
38 | 
39 |     offs = int(patch["offset"], 0)
40 |     size = patch["size"]
41 |     endOffs = offs+size
42 |     check_data = data[offs:endOffs]
43 | 
44 |     if "prev_data" in patch:
45 |         if "noDecode" in patch:
46 |             prev_data = patch["prev_data"]
47 |         else:
48 |             prev_data = ("".join(patch["prev_data"].split())).decode("hex")
49 |         if check_data != prev_data:
50 |             print hexdump(prev_data)
51 |             print hexdump(check_data)
52 |             print "[-] Error, bad file content at offset %x" % offs
53 |             sys.exit(1)
54 |     if "file" in patch:
55 |         dir = os.path.dirname(sys.argv[2])
56 |         patch["file"] = os.path.join(dir, "asm", patch["file"])
57 | 
58 |         patch["patch"] = read_patch(patch["file"])
59 |         patch["noDecode"] = True
60 |     if "noDecode" in patch:
61 |         patch_data = patch["patch"]
62 |     else:
63 |         patch_data = ("".join(patch["patch"].split())).decode("hex")
64 |     realsize = sys.getsizeof(patch_data) - sys.getsizeof('')
65 |     print hexdump(check_data)
66 |     print hexdump(patch_data)
67 |     if realsize != size:
68 |         print "Patch length (%d) does not match replaced size (%d)" % (realsize, size)
69 |         sys.exit(1)
70 |     data = data[:offs] + patch_data + data[endOffs:]
71 | 
72 | data = data
73 | with open(sys.argv[3], "wb") as f:
74 |     f.write(data)
75 | 


--------------------------------------------------------------------------------
/util/repl.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | #
  3 | # This file is part of ilo4_unlock (https://github.com/kendallgoto/ilo4_unlock/).
  4 | # Copyright (c) 2022 Kendall Goto
  5 | # with some code derived from https://github.com/airbus-seclab/ilo4_toolbox
  6 | #
  7 | # This program is free software: you can redistribute it and/or modify
  8 | # it under the terms of the GNU General Public License as published by
  9 | # the Free Software Foundation, version 3.
 10 | #
 11 | # This program is distributed in the hope that it will be useful, but
 12 | # WITHOUT ANY WARRANTY; without even the implied warranty of
 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 14 | # General Public License for more details.
 15 | #
 16 | # You should have received a copy of the GNU General Public License
 17 | # along with this program. If not, see <http://www.gnu.org/licenses/>.
 18 | 
 19 | """
 20 | This REPL environment is heavily based on Airbus Security Lab's work.
 21 | It produces an SSH-based REPL that allows us to (r)ead/(a)lloc/(w)rite/(f)ree/e(x)ecute
 22 | arbitrary code on a running device, patched with our tools. Install 277-tools before using this
 23 | REPL!
 24 | 
 25 | Notably, we can create new shell commands on-the-fly by performing `wf [source.S]`, which
 26 | assembles, allocates and writes custom code to memory.
 27 | 
 28 | Use at your own risk.
 29 | """
 30 | import keystone
 31 | import paramiko
 32 | import argparse
 33 | import logging
 34 | import sys
 35 | import time
 36 | import struct
 37 | import os
 38 | from keystone import *
 39 | from common import *
 40 | 
 41 | """CONFIG"""
 42 | logging.basicConfig(level=logging.DEBUG)
 43 | triggerCommand = b'help'
 44 | """END CONFIG"""
 45 | def recv_all():
 46 |     time.sleep(.05)
 47 |     result = b''
 48 |     while channel.recv_ready():
 49 |             result += channel.recv(4096)
 50 |     if result:
 51 |         logger.debug("SSH recv: %r", result)
 52 |     return result
 53 | def recv_force():
 54 |     data = recv_all()
 55 |     numiter = 0
 56 |     while not data:
 57 |         numiter += 1
 58 |         logger.debug("Waiting ...")
 59 |         if numiter <= 10:
 60 |                 time.sleep(.1)
 61 |         else:
 62 |             logger.fatal("Time out")
 63 |             return "hpiLO"
 64 |         data = recv_all()
 65 |     return data
 66 | def recv_until_prompt():
 67 |     data = recv_force()
 68 |     while b'hpiLO' not in data:
 69 |         data += recv_force()
 70 |     return data
 71 | def send(data):
 72 |     logger.debug("SSH send: %r", data)
 73 |     channel.send(data)
 74 | def srp(d):
 75 |         send(d)
 76 |         return recv_until_prompt()
 77 | def run_command(cmd):
 78 |     result = srp(cmd + b'\r')
 79 |     needle = b'status_tag=COMMAND COMPLETED\r\n'
 80 |     idx = result.index(needle)
 81 |     return result[idx+len(needle):].split(b'\n', 4)[-1]
 82 | 
 83 | A16_ENCODING = [c.encode('ascii') for c in 'ABCDEFGHIJKLMNOP']
 84 | def a16_u8_encode(val):
 85 |     """Encode a u8 in alpha-16 encoding"""
 86 |     assert 0 <= val <= 0xff
 87 |     return A16_ENCODING[val >> 4] + A16_ENCODING[val & 15]
 88 | def a16_data_encode(data):
 89 |     return b''.join(a16_u8_encode(struct.unpack('B', data[i:i+1])[0]) for i in range(len(data)))
 90 | def a16_u32_encode(val):
 91 |     """Encode a u32 in alpha-16 encoding (in Big Endian)"""
 92 |     return a16_data_encode(struct.pack('>I', val))
 93 | def send_custom(op, arg1, *args):
 94 |     arg1 = a16_u32_encode(arg1)
 95 |     cmd = triggerCommand + b' ' + op.encode('ascii') + arg1
 96 |     if args:
 97 |         cmd += b' ' + b' '.join(a.encode('ascii') if isinstance(a, str) else a for a in args)
 98 |     logger.debug(hexdump(cmd))
 99 |     # cmd = b'uname'
100 |     output = srp(cmd + b'\r')
101 |     cmdindex = output.index(cmd)
102 |     output_prefix = output[:cmdindex].lstrip(b'\r\n')
103 |     output = output_prefix + output[cmdindex + len(cmd):].lstrip(b'\r\n')
104 |     output = output[:output.rindex(b'hpiLO')].rsplit(b'\n', 1)[0]
105 |     return output.strip(b'\r\n')
106 | def exec_read(cmd):
107 |     if len(cmd) < 3:
108 |         print "r [address] [len]"
109 |         return
110 |     addr = int(cmd[1], 0)
111 |     result = send_custom('r', addr, cmd[2])
112 |     print hexdump(result)
113 |     print result
114 |     return result
115 | def exec_write_partial(addr, data):
116 |     if not data:
117 |         return (0, b'')
118 |     size = min(len(data), 100)
119 |     output = send_custom('w', addr, a16_data_encode(data[:size]))
120 |     all_lines = [line.strip() for line in output.decode('ascii').splitlines() if line not in ('', ' ', '> ', '-> ')]
121 |     if len(all_lines) != size:
122 |         logger.error("Unexpected output line number, got %d expected %d", len(all_lines), size)
123 |     assert len(all_lines) == size
124 |     for i, line in enumerate(all_lines):
125 |             logger.debug(line)
126 |             expected = '%#x <- %#x' % (addr + i, bytearray(data[i])[0])
127 |             if expected.endswith(' <- 0x0'):
128 |                 expected = '%#x <- 0' % (addr+i)
129 |             if expected != line:
130 |                 logger.warning("Unexpected write writing 0x%02x to %#x: got %r instead of %r", data[i], addr+i, line, expected)
131 |     return (size, data[size:])
132 | 
133 | def exec_write(cmd):
134 |     # w [address] [data]
135 |     if len(cmd) < 3:
136 |         print "w [address] [data]"
137 |         return
138 |     addr = int(cmd[1], 0)
139 |     data = cmd[2]
140 |     while data:
141 |         size, data = exec_write_partial(addr, data)
142 |         addr += size
143 | 
144 | def exec_exec(cmd):
145 |     # x [address]
146 |     addr = int(cmd[1], 0)
147 |     print send_custom('x', addr)
148 | 
149 | def exec_alloc(cmd):
150 |     # a [size]
151 |     size = int(cmd[1], 0)
152 |     output = send_custom('a', size)
153 |     if output == b'alloc 0':
154 |         logger.error("OUT OF MEMORY")
155 |     prefix = b'alloc 0x'
156 |     assert output.startswith(prefix)
157 |     print output
158 |     return int(output[len(prefix):], 16)
159 | 
160 | def exec_free(cmd):
161 |     # f [address]
162 |     addr = int(cmd[1], 0)
163 |     print send_custom('f', addr)
164 | 
165 | def exec_write_file(cmd):
166 |     # wf [file]
167 |     if len(cmd) < 2:
168 |         print "wf [file]"
169 |         return
170 |     try:
171 |         patch = read_patch(cmd[1])
172 |     except:
173 |         logger.error("failed to assemble patch")
174 |         return
175 |     addr = exec_alloc(['a', str(len(patch)+16)])
176 |     print "allocated 0x%x bytes at 0x%x" % (len(patch)+16, addr)
177 |     exec_write(['w', "0x%x" % addr, patch])
178 |     print "wrote to 0x%x, execute with x 0x%x" % (addr, addr)
179 | 
180 | def exec_write_bin(cmd):
181 |     # wb [file]
182 |     if len(cmd) < 2:
183 |         print "wb [file]"
184 |         return
185 |     with open(cmd[1], 'rb') as f:
186 |         patch = f.read()
187 | 
188 |     addr = exec_alloc(['a', str(len(patch)+16)])
189 |     print "allocated 0x%x bytes at 0x%x" % (len(patch)+16, addr)
190 |     exec_write(['w', "0x%x" % addr, patch])
191 |     print "wrote to 0x%x, execute with x 0x%x" % (addr, addr)
192 | def exec_setcmd(cmd):
193 |     #sc [addr]
194 |     if len(cmd) < 2:
195 |         print "sc [addr]"
196 |         return
197 |     addr = int(cmd[1], 0)
198 |     exec_write(['w', "0x000BAB98", struct.pack('<I', addr)])
199 |     print "wrote null_cmd to 0x%x" % addr
200 | def exec_plain(cmd):
201 |     cmd.pop(0)
202 |     fullcmd = " ".join(cmd)
203 |     print srp(fullcmd + b'\r')
204 | parser = argparse.ArgumentParser(description="SSH Tools for iLO4_unlock")
205 | parser.add_argument('addr', help="IP of iLO")
206 | parser.add_argument('-u', '--user', type=str, default='Administrator', help="iLO Username")
207 | parser.add_argument('-p', '--password', type=str, default='', help="iLO Password")
208 | parser.add_argument('-P', '--port', type=int, default=22, help="SSH Port")
209 | 
210 | args = parser.parse_args()
211 | 
212 | logger = logging.getLogger('ssh')
213 | logger.info("Connecting ...")
214 | client = paramiko.client.SSHClient()
215 | client.set_missing_host_key_policy(paramiko.client.AutoAddPolicy)
216 | client.connect(args.addr, args.port, username=args.user, password=args.password, timeout=30, allow_agent=False, look_for_keys=False)
217 | 
218 | logger.info("SSH session to %s:%d opened", args.addr, args.port)
219 | 
220 | channel = client.invoke_shell()
221 | channel.setblocking(0)
222 | 
223 | recv_until_prompt()
224 | run_command('show')
225 | logger.info("ready")
226 | 
227 | while True:
228 |     cmd = raw_input("> ")
229 |     cmd = cmd.split(' ')
230 |     if cmd[0] == 'r':
231 |         exec_read(cmd)
232 |     elif cmd[0] == 'w':
233 |         exec_write(cmd)
234 |     elif cmd[0] == 'x':
235 |         exec_exec(cmd)
236 |     elif cmd[0] == 'a':
237 |         exec_alloc(cmd)
238 |     elif cmd[0] == 'f':
239 |         exec_free(cmd)
240 |     elif cmd[0] == 'wf':
241 |         exec_write_file(cmd)
242 |     elif cmd[0] == 'wb':
243 |         exec_write_bin(cmd)
244 |     elif cmd[0] == 'sc':
245 |         exec_setcmd(cmd)
246 |     elif cmd[0] == 'z':
247 |         exec_plain(cmd)
248 |     elif cmd[0] =='exit':
249 |         break
250 |     else:
251 |         print("r/w/x/a/f/wf")
252 | 
253 | if client:
254 |     client.close()
255 | 


--------------------------------------------------------------------------------